Edit tour

Windows Analysis Report
JHGFDFG.exe

Overview

General Information

Sample name:	JHGFDFG.exe
Analysis ID:	1592444
MD5:	c53a3df894a8a6460f1fbffa80b5a8f7
SHA1:	3237b7ef9e4772cf3d0bba4353c601e03a02e830
SHA256:	2549a53e3dfb35c7c62a864a4cb7443861301caa458f4653e43ac6ff6ae153c2
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

JHGFDFG.exe (PID: 5512 cmdline: "C:\Users\user\Desktop\JHGFDFG.exe" MD5: C53A3DF894A8A6460F1FBFFA80B5A8F7)

RegAsm.exe (PID: 4480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7410470116:AAHnBIMop-ci79oElVeTQe_sfzjuRKlAfHw", "Telegram Chatid": "7470423348"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xffcd:$a1: get_encryptedPassword 0x10309:$a2: get_encryptedUsername 0xfd5a:$a3: get_timePasswordChanged 0xfe7b:$a4: get_passwordField 0xffe3:$a5: set_encryptedPassword 0x119b3:$a7: get_logins 0x11664:$a8: GetOutlookPasswords 0x11442:$a9: StartKeylogger 0x11903:$a10: KeyLoggerEventArgs 0x1149f:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.3298816359.0000000003486000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6879d:$a1: get_encryptedPassword 0x807c5:$a1: get_encryptedPassword 0x987e5:$a1: get_encryptedPassword 0xb0605:$a1: get_encryptedPassword 0x68ad9:$a2: get_encryptedUsername 0x80b01:$a2: get_encryptedUsername 0x98b21:$a2: get_encryptedUsername 0xb0941:$a2: get_encryptedUsername 0x6852a:$a3: get_timePasswordChanged 0x80552:$a3: get_timePasswordChanged 0x98572:$a3: get_timePasswordChanged 0xb0392:$a3: get_timePasswordChanged 0x6864b:$a4: get_passwordField 0x80673:$a4: get_passwordField 0x98693:$a4: get_passwordField 0xb04b3:$a4: get_passwordField 0x687b3:$a5: set_encryptedPassword 0x807db:$a5: set_encryptedPassword 0x987fb:$a5: set_encryptedPassword 0xb061b:$a5: set_encryptedPassword 0x6a183:$a7: get_logins
Process Memory Space: JHGFDFG.exe PID: 5512	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: JHGFDFG.exe PID: 5512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JHGFDFG.exe PID: 5512	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: JHGFDFG.exe PID: 5512	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28001:$a1: get_encryptedPassword 0x2832e:$a2: get_encryptedUsername 0x27da2:$a3: get_timePasswordChanged 0x27ec3:$a4: get_passwordField 0x28017:$a5: set_encryptedPassword 0x29989:$a7: get_logins 0x2963a:$a8: GetOutlookPasswords 0x29418:$a9: StartKeylogger 0x298d9:$a10: KeyLoggerEventArgs 0x29475:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 4480	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4480	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4480	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4ac85:$a1: get_encryptedPassword 0x4afb2:$a2: get_encryptedUsername 0x4aa26:$a3: get_timePasswordChanged 0x4ab47:$a4: get_passwordField 0x4ac9b:$a5: set_encryptedPassword 0x4c60d:$a7: get_logins 0x4c2be:$a8: GetOutlookPasswords 0x4c09c:$a9: StartKeylogger 0x4c55d:$a10: KeyLoggerEventArgs 0x4c0f9:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.JHGFDFG.exe.3c4d5d0.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.JHGFDFG.exe.3c4d5d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JHGFDFG.exe.3c4d5d0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.JHGFDFG.exe.3c4d5d0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
0.2.JHGFDFG.exe.3c4d5d0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12af9:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e07:$a4: \Orbitum\User Data\Default\Login Data 0x13bff:$a5: \Kometa\User Data\Default\Login Data
0.2.JHGFDFG.exe.3c655f8.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.JHGFDFG.exe.3c655f8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JHGFDFG.exe.3c655f8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.JHGFDFG.exe.3c655f8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
0.2.JHGFDFG.exe.3c655f8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12af9:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e07:$a4: \Orbitum\User Data\Default\Login Data 0x13bff:$a5: \Kometa\User Data\Default\Login Data
0.2.JHGFDFG.exe.3c7d618.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.JHGFDFG.exe.3c7d618.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JHGFDFG.exe.3c7d618.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.JHGFDFG.exe.3c7d618.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
0.2.JHGFDFG.exe.3c7d618.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12af9:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e07:$a4: \Orbitum\User Data\Default\Login Data 0x13bff:$a5: \Kometa\User Data\Default\Login Data
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
1.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c07:$a4: \Orbitum\User Data\Default\Login Data 0x159ff:$a5: \Kometa\User Data\Default\Login Data
0.2.JHGFDFG.exe.3c7d618.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.JHGFDFG.exe.3c7d618.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JHGFDFG.exe.3c7d618.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.JHGFDFG.exe.3c7d618.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x27fed:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28329:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x27d7a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x27e9b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28003:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x299d3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29684:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x29462:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x29923:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler 0x294bf:$a11: KeyLoggerEventArgsEventHandler
0.2.JHGFDFG.exe.3c7d618.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d21b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c719:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c07:$a4: \Orbitum\User Data\Default\Login Data 0x2ca27:$a4: \Orbitum\User Data\Default\Login Data 0x159ff:$a5: \Kometa\User Data\Default\Login Data 0x2d81f:$a5: \Kometa\User Data\Default\Login Data
0.2.JHGFDFG.exe.3c655f8.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.JHGFDFG.exe.3c655f8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JHGFDFG.exe.3c655f8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.JHGFDFG.exe.3c655f8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x281ed:$a1: get_encryptedPassword 0x4000d:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28529:$a2: get_encryptedUsername 0x40349:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x27f7a:$a3: get_timePasswordChanged 0x3fd9a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x2809b:$a4: get_passwordField 0x3febb:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28203:$a5: set_encryptedPassword 0x40023:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29bd3:$a7: get_logins 0x419f3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29884:$a8: GetOutlookPasswords 0x416a4:$a8: GetOutlookPasswords
0.2.JHGFDFG.exe.3c655f8.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d41b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4523b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c919:$a3: \Google\Chrome\User Data\Default\Login Data 0x44739:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c07:$a4: \Orbitum\User Data\Default\Login Data 0x2cc27:$a4: \Orbitum\User Data\Default\Login Data 0x44a47:$a4: \Orbitum\User Data\Default\Login Data 0x159ff:$a5: \Kometa\User Data\Default\Login Data 0x2da1f:$a5: \Kometa\User Data\Default\Login Data 0x4583f:$a5: \Kometa\User Data\Default\Login Data
0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x281f5:$a1: get_encryptedPassword 0x40215:$a1: get_encryptedPassword 0x58035:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28531:$a2: get_encryptedUsername 0x40551:$a2: get_encryptedUsername 0x58371:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x27f82:$a3: get_timePasswordChanged 0x3ffa2:$a3: get_timePasswordChanged 0x57dc2:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x280a3:$a4: get_passwordField 0x400c3:$a4: get_passwordField 0x57ee3:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x2820b:$a5: set_encryptedPassword 0x4022b:$a5: set_encryptedPassword 0x5804b:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins
0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x45443:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d263:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c921:$a3: \Google\Chrome\User Data\Default\Login Data 0x44941:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c761:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c07:$a4: \Orbitum\User Data\Default\Login Data 0x2cc2f:$a4: \Orbitum\User Data\Default\Login Data 0x44c4f:$a4: \Orbitum\User Data\Default\Login Data 0x5ca6f:$a4: \Orbitum\User Data\Default\Login Data 0x159ff:$a5: \Kometa\User Data\Default\Login Data 0x2da27:$a5: \Kometa\User Data\Default\Login Data 0x45a47:$a5: \Kometa\User Data\Default\Login Data 0x5d867:$a5: \Kometa\User Data\Default\Login Data
Click to see the 30 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T06:31:58.775970+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: JHGFDFG.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7410470116:AAHnBIMop-ci79oElVeTQe_sfzjuRKlAfHw", "Telegram Chatid": "7470423348"}

Multi AV Scanner detection for submitted file

Source: JHGFDFG.exe	ReversingLabs: Detection: 65%
Source: JHGFDFG.exe	Virustotal: Detection: 55%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: JHGFDFG.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: JHGFDFG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Source\Repos\ZIRKZEE\ZIRKZEE\obj\Debug\JHGFDFG.pdb source: JHGFDFG.exe
Source:	Binary string: C:\Users\Administrator\Source\Repos\ZIRKZEE\ZIRKZEE\obj\Debug\JHGFDFG.pdbFI source: JHGFDFG.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 015B9731h	1_2_015B9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 015B9E5Ah	1_2_015B9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 015B9E5Ah	1_2_015B9D87

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000001.00000002.3298816359.000000000339E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000001.00000002.3298816359.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: JHGFDFG.exe, 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegAsm.exe, 00000001.00000002.3298816359.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JHGFDFG.exe, 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: JHGFDFG.exe, 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: JHGFDFG.exe PID: 5512, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_015BC530	1_2_015BC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_015B2DD1	1_2_015B2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_015B9480	1_2_015B9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_015B19B8	1_2_015B19B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_015BC521	1_2_015BC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_015B946F	1_2_015B946F

Source: JHGFDFG.exe, 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs JHGFDFG.exe
Source: JHGFDFG.exe, 00000000.00000002.2055410904.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs JHGFDFG.exe
Source: JHGFDFG.exe, 00000000.00000002.2054630780.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs JHGFDFG.exe

Source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: JHGFDFG.exe PID: 5512, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\JHGFDFG.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JHGFDFG.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: JHGFDFG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JHGFDFG.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\JHGFDFG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.3298816359.0000000003411000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.000000000344F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.0000000003420000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.0000000003443000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.000000000342F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3299674539.000000000435D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: JHGFDFG.exe	ReversingLabs: Detection: 65%
Source: JHGFDFG.exe	Virustotal: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\JHGFDFG.exe "C:\Users\user\Desktop\JHGFDFG.exe"
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: JHGFDFG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: JHGFDFG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: JHGFDFG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Source\Repos\ZIRKZEE\ZIRKZEE\obj\Debug\JHGFDFG.pdb source: JHGFDFG.exe
Source:	Binary string: C:\Users\Administrator\Source\Repos\ZIRKZEE\ZIRKZEE\obj\Debug\JHGFDFG.pdbFI source: JHGFDFG.exe

Source: JHGFDFG.exe

Static PE information: 0xE7D56015 [Thu Apr 2 14:24:21 2093 UTC]

Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 15B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe TID: 1124

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.3298217056.0000000001677000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\JHGFDFG.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\JHGFDFG.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\JHGFDFG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11A5008	Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe	Queries volume information: C:\Users\user\Desktop\JHGFDFG.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\JHGFDFG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JHGFDFG.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JHGFDFG.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3298816359.0000000003486000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JHGFDFG.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JHGFDFG.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c7d618.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c655f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JHGFDFG.exe.3c4d5d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JHGFDFG.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4480, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JHGFDFG.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
JHGFDFG.exe	56%	Virustotal		Browse
JHGFDFG.exe	100%	Avira	TR/Dropper.Gen
JHGFDFG.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://reallyfreegeoip.orgd	0%	Avira URL Cloud	safe
http://checkip.dyndns.comd	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	JHGFDFG.exe, 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000001.00000002.3298816359.00000000033CD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189d	RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegAsm.exe, 00000001.00000002.3298816359.00000000033CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegAsm.exe, 00000001.00000002.3298816359.000000000339E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000001.00000002.3298816359.0000000003331000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	JHGFDFG.exe, 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	JHGFDFG.exe, 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3298816359.00000000033B0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592444
Start date and time:	2025-01-16 06:31:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JHGFDFG.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegAsm.exe, PID 4480 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
193.122.6.168	MV Nicos Tomasos Vessel Parts.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	MV Nicos Tomasos Vessel Parts.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
reallyfreegeoip.org	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	MV Nicos Tomasos Vessel Parts.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Execute.ps1	Get hash	malicious	Metasploit	Browse	158.101.196.44
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
CLOUDFLARENETUS	https://guf1.xemirax.ru/	Get hash	malicious	Unknown	Browse	104.21.85.129
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	https://guf1.xemirax.ru/6XAVE/#S#ZWRtb25kLmxlZUBpbm5vY2FwLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://yt1s.com/en115	Get hash	malicious	Unknown	Browse	104.21.11.245
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	Pedang @ P#U00ecsau.exe	Get hash	malicious	Brontok	Browse	104.21.48.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\JHGFDFG.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.828586347753447
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	JHGFDFG.exe
File size:	343'552 bytes
MD5:	c53a3df894a8a6460f1fbffa80b5a8f7
SHA1:	3237b7ef9e4772cf3d0bba4353c601e03a02e830
SHA256:	2549a53e3dfb35c7c62a864a4cb7443861301caa458f4653e43ac6ff6ae153c2
SHA512:	b2682e0e5854f745359dcad21f3d903e7a0d204d544271fcd4300c97d99b9ace9d93adac3285a70ab3c5896228955804b9f4bade702c5d4058736ab132b2cab1
SSDEEP:	6144:/fDuSxhHV/AG4tZTjABMgcn5/lX82O3Fu5JARlWnz:/ruqh1/AG4jTjvgc5dX82O1u5J2lWnz
TLSH:	7A744FA038EB9229F073AE7A5AD275D6DD2FBE732F06603D1091334646B2D41DDD213A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`............"...0..*..........rI... ...`....@.. ....................................`................................

File Icon


Icon Hash:	457131250f454580

Static PE Info

General

Entrypoint:	0x444972
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE7D56015 [Thu Apr 2 14:24:21 2093 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4491e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x10e68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44884	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x42978	0x42a00	3d9bea4a79e41eba2d204be4f5239772	False	0.4880613860225141	data	4.143234654239205	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x10e68	0x11000	f35f4c04e8a7e3fba5eb3ee3310b2c1c	False	0.04706169577205882	data	4.7004617503029875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	2066321c62197875842fd9eb9a386f4e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x46100	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.036510706258133206
RT_GROUP_ICON	0x56938	0x14	data	1.15
RT_VERSION	0x5695c	0x30c	data	0.43333333333333335
RT_MANIFEST	0x56c78	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T06:31:58.775970+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 06:31:57.910634995 CET	49704	80	192.168.2.5	193.122.6.168
Jan 16, 2025 06:31:57.915611029 CET	80	49704	193.122.6.168	192.168.2.5
Jan 16, 2025 06:31:57.915734053 CET	49704	80	192.168.2.5	193.122.6.168
Jan 16, 2025 06:31:57.916148901 CET	49704	80	192.168.2.5	193.122.6.168
Jan 16, 2025 06:31:57.921009064 CET	80	49704	193.122.6.168	192.168.2.5
Jan 16, 2025 06:31:58.543250084 CET	80	49704	193.122.6.168	192.168.2.5
Jan 16, 2025 06:31:58.547563076 CET	49704	80	192.168.2.5	193.122.6.168
Jan 16, 2025 06:31:58.552406073 CET	80	49704	193.122.6.168	192.168.2.5
Jan 16, 2025 06:31:58.733879089 CET	80	49704	193.122.6.168	192.168.2.5
Jan 16, 2025 06:31:58.747708082 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:31:58.747751951 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:58.747818947 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:31:58.754214048 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:31:58.754255056 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:58.775969982 CET	49704	80	192.168.2.5	193.122.6.168
Jan 16, 2025 06:31:59.234781027 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:59.234870911 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:31:59.240398884 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:31:59.240423918 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:59.240756989 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:59.285670042 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:31:59.331357002 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:59.399806023 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:59.399892092 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 06:31:59.400295019 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:31:59.414356947 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 06:33:03.733377934 CET	80	49704	193.122.6.168	192.168.2.5
Jan 16, 2025 06:33:03.733470917 CET	49704	80	192.168.2.5	193.122.6.168
Jan 16, 2025 06:33:38.796982050 CET	49704	80	192.168.2.5	193.122.6.168
Jan 16, 2025 06:33:38.801898956 CET	80	49704	193.122.6.168	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 06:31:57.893768072 CET	51841	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:31:57.900975943 CET	53	51841	1.1.1.1	192.168.2.5
Jan 16, 2025 06:31:58.736542940 CET	64228	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:31:58.744448900 CET	53	64228	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 06:31:57.893768072 CET	192.168.2.5	1.1.1.1	0xd501	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.736542940 CET	192.168.2.5	1.1.1.1	0x8eaa	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 06:31:57.900975943 CET	1.1.1.1	192.168.2.5	0xd501	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 06:31:57.900975943 CET	1.1.1.1	192.168.2.5	0xd501	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:57.900975943 CET	1.1.1.1	192.168.2.5	0xd501	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:57.900975943 CET	1.1.1.1	192.168.2.5	0xd501	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:57.900975943 CET	1.1.1.1	192.168.2.5	0xd501	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:57.900975943 CET	1.1.1.1	192.168.2.5	0xd501	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.744448900 CET	1.1.1.1	192.168.2.5	0x8eaa	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.744448900 CET	1.1.1.1	192.168.2.5	0x8eaa	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.744448900 CET	1.1.1.1	192.168.2.5	0x8eaa	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.744448900 CET	1.1.1.1	192.168.2.5	0x8eaa	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.744448900 CET	1.1.1.1	192.168.2.5	0x8eaa	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.744448900 CET	1.1.1.1	192.168.2.5	0x8eaa	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:31:58.744448900 CET	1.1.1.1	192.168.2.5	0x8eaa	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	193.122.6.168	80	4480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 06:31:57.916148901 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 06:31:58.543250084 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 05:31:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 06:31:58.547563076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 06:31:58.733879089 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 05:31:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.48.1	443	4480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 05:31:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 05:31:59 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 05:31:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2320308 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K%2BDnxx%2BsUaiIZwU9vguIJc6KW6O85deRMZFX5UPlrTuewtFwZKcEv2BVISRV6Tu4nfwSM7UDA09qnfIJaPbW216EtvVFViz6qazEQxQVkcuOWeB%2FHFgqM3jKh4aI5iC1g0jyIAEX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902bb8efdeb58cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1969&rtt_var=750&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1446977&cwnd=244&unsent_bytes=0&cid=fea6f64cb26c960e&ts=176&x=0"
2025-01-16 05:31:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	00:31:56
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\JHGFDFG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JHGFDFG.exe"
Imagebase:	0x830000
File size:	343'552 bytes
MD5 hash:	C53A3DF894A8A6460F1FBFFA80B5A8F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2055541765.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:31:56
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf00000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.3297654418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.3298816359.0000000003486000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	42.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	114
Total number of Limit Nodes:	3

Executed Functions

Function 029805B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 346
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,03BF3578,03BF357C,029812BE,?,?,?,?,?), ref: 0298164B

Strings

Rb, xrefs: 02981369
Rb, xrefs: 02981398

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: CreateProcess
String ID: Rb$Rb
API String ID: 963392458-3448890300
Opcode ID: 39fd8d7d8a39c1ac9ec9cc429d724503e77a6c963ee8632fcfb7e4113fc2e8cd
Instruction ID: 39f772fb7c8515b9608a2d49913ad0663d44153081d5a71360b305d21e88af42
Opcode Fuzzy Hash: 39fd8d7d8a39c1ac9ec9cc429d724503e77a6c963ee8632fcfb7e4113fc2e8cd
Instruction Fuzzy Hash: 07D13570D002698FDB24DFA8C880BEDBBF5FF49304F0491AAD559A7250DB749A85CF91

Function 029805BC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 341
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,03BF3578,03BF357C,029812BE,?,?,?,?,?), ref: 0298164B

Strings

Rb, xrefs: 02981369
Rb, xrefs: 02981398

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: CreateProcess
String ID: Rb$Rb
API String ID: 963392458-3448890300
Opcode ID: 917601cfa79d4333d8a9b37651e2eba484e2b9252426aeec8459ecaaedde6248
Instruction ID: d3fbd4a835738f683b76fc3c6a4dc47040d1b2a1abd622aa949563d20dc05e74
Opcode Fuzzy Hash: 917601cfa79d4333d8a9b37651e2eba484e2b9252426aeec8459ecaaedde6248
Instruction Fuzzy Hash: CCD12570D002298FDB24DFA8C880BEDBBF5FF49304F0491AAD559A7250DB749A85CF95

Function 0298131D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 341
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,03BF3578,03BF357C,029812BE,?,?,?,?,?), ref: 0298164B

Strings

Rb, xrefs: 02981369
Rb, xrefs: 02981398

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: CreateProcess
String ID: Rb$Rb
API String ID: 963392458-3448890300
Opcode ID: a6bb4b82dfb46d961dab9041c310edc1b05861a85e32b5c82bf2b95cf1a7cfcf
Instruction ID: e4e7ce3650514d5f0c4d4de2bd04fcbf9dacdb9f9958baf8ac89d9d5c339ef02
Opcode Fuzzy Hash: a6bb4b82dfb46d961dab9041c310edc1b05861a85e32b5c82bf2b95cf1a7cfcf
Instruction Fuzzy Hash: A0D12670D002298FDB24DFA8C881BEDBBF5BF49304F0491AAD459A7250DB749A86CF91

Function 0298056B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,02981A9B,?,?), ref: 02981B7C

Strings

Rb, xrefs: 02981AED

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Rb
API String ID: 1726664587-1629373818
Opcode ID: a3c5e2751368e5b0b5a93de81b29065ce37560a56d09b3e4af4c104d4aa7041e
Instruction ID: 78f7a67fca60d6d53d0af95e87c8429653cd1341ad1396c5ea541b44b128d662
Opcode Fuzzy Hash: a3c5e2751368e5b0b5a93de81b29065ce37560a56d09b3e4af4c104d4aa7041e
Instruction Fuzzy Hash: 9951F475C092989FCB01CFA9D984ADDBFF0FF0A300F14909AE454BB251D375A946CB55

Function 02980620 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 02982115

Strings

Rb, xrefs: 02982065

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Rb
API String ID: 3559483778-1629373818
Opcode ID: ea8d1eef21f1251e4f4294780b3b9a7c10d469baef25e408d54be85fc6b9eecc
Instruction ID: d77358246ec225936c211974c2fbcde44e0f979da000930bde2cf4fc2717f4f9
Opcode Fuzzy Hash: ea8d1eef21f1251e4f4294780b3b9a7c10d469baef25e408d54be85fc6b9eecc
Instruction Fuzzy Hash: DF419AB4D002989FCB10DFA9D984AEEBBF1BF09310F24906AE818B7210D374A945CB64

Function 0298062C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 02982115

Strings

Rb, xrefs: 02982065

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Rb
API String ID: 3559483778-1629373818
Opcode ID: 39b2881bc4ad1a26db7c35e1beeedcd6b406bcd16998bd0580affc12b9bc46cc
Instruction ID: 8f7ad9375fdb69938b16a71dffc74fa8d90d066d79f4856dd93425569f40accb
Opcode Fuzzy Hash: 39b2881bc4ad1a26db7c35e1beeedcd6b406bcd16998bd0580affc12b9bc46cc
Instruction Fuzzy Hash: 354187B4D002589FCB10DFA9D984AEEFBF1FB09310F24902AE818B7210D379A945CF64

Function 02982039 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 02982115

Strings

Rb, xrefs: 02982065

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Rb
API String ID: 3559483778-1629373818
Opcode ID: a428cc6cec39b92a94b62f05698090d3edf49640913a15c168602527a2765821
Instruction ID: fd8cf4821dc02db58719b2f98c97da76a29fed982d19e707d6cfcf6029628398
Opcode Fuzzy Hash: a428cc6cec39b92a94b62f05698090d3edf49640913a15c168602527a2765821
Instruction Fuzzy Hash: CC416AB5D002589FCB10DFA9D984AEEFBF1BF49314F24902AE918B7210D375A945CF64

Function 029805F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,02981A9B,?,?), ref: 02981B7C

Strings

Rb, xrefs: 02981AED

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Rb
API String ID: 1726664587-1629373818
Opcode ID: ce5e3592478fd3332ee2e12b3b9d0a81a1c9614b654b75c0f1e2c8699bf36af0
Instruction ID: 2dd4670b7ca557d82b04612d1a20a4b0c82afa270b87df065ab783be83d66930
Opcode Fuzzy Hash: ce5e3592478fd3332ee2e12b3b9d0a81a1c9614b654b75c0f1e2c8699bf36af0
Instruction Fuzzy Hash: 7D41A9B5D042589FCB00DFA9D984AEEFBF0BF19310F14906AE818B7210D375A942CF64

Function 029805FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,02981A9B,?,?), ref: 02981B7C

Strings

Rb, xrefs: 02981AED

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Rb
API String ID: 1726664587-1629373818
Opcode ID: 0edb6fe50dffffcd951036e1fad95a1f64f38d0b402768ee71d41b603921fb6a
Instruction ID: d958a10e0435afc3f714e870dd1625984982ed24a1a448fe6be7e2b901d5f6cf
Opcode Fuzzy Hash: 0edb6fe50dffffcd951036e1fad95a1f64f38d0b402768ee71d41b603921fb6a
Instruction Fuzzy Hash: 9C4198B9D002589FCB00DFA9D984AEEFBF1BB09310F14902AE818B7210D375A941CF64

Function 02980608 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02981D64

Strings

Rb, xrefs: 02981CD5

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: AllocVirtual
String ID: Rb
API String ID: 4275171209-1629373818
Opcode ID: f0a141fea03f4d7911535184da6d89ffd07092968b5712135507b87c72117f9a
Instruction ID: 325647ac500b15e34cbed2029ae627a978b70b6fa416b4c6fb262a39d1d7052d
Opcode Fuzzy Hash: f0a141fea03f4d7911535184da6d89ffd07092968b5712135507b87c72117f9a
Instruction Fuzzy Hash: C84189B8D042589FCB10DFA9D984A9EFBF4FF09310F14906AE818BB210D375A941CFA4

Function 02981AC1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(00000004,?,02981A9B,?,?), ref: 02981B7C

Strings

Rb, xrefs: 02981AED

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Rb
API String ID: 1726664587-1629373818
Opcode ID: ffb57129c8cda90ac8a6bf42b769f9397939977fc8bdbee80c29c8f08a8054bc
Instruction ID: 6377045fd7735a160ffddd982e8a07b10cd4f74e451f2bcd762cbe13d2bd0d31
Opcode Fuzzy Hash: ffb57129c8cda90ac8a6bf42b769f9397939977fc8bdbee80c29c8f08a8054bc
Instruction Fuzzy Hash: 954189B9D052589FCF00CFA9D984AEEFBB1BF09310F14946AE819B7210D375A945CF64

Function 02981CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02981D64

Strings

Rb, xrefs: 02981CD5

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: AllocVirtual
String ID: Rb
API String ID: 4275171209-1629373818
Opcode ID: 6f75cc7da9f3220c96d5aaa4631f7a758573114cdc1bae4a3c2a0a91916b988b
Instruction ID: f095e6e5780cc6c5df2dd4764b6f9a6b082b08c7725dffef24317a3145cca07c
Opcode Fuzzy Hash: 6f75cc7da9f3220c96d5aaa4631f7a758573114cdc1bae4a3c2a0a91916b988b
Instruction Fuzzy Hash: 464175B8D012589FCF10CFA9D984ADEFBB1BF49310F24902AE818B7210D375A942CF64

Function 02980614 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02981D64

Strings

Rb, xrefs: 02981CD5

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: AllocVirtual
String ID: Rb
API String ID: 4275171209-1629373818
Opcode ID: 496ee930c950d889dfa2aaa45aeb85bb9833b14aad26341094c6a787c45eaec0
Instruction ID: 7b724c5ad6156ce43f1607cc5e73201c64f79b116474ad4e413d530beb43e682
Opcode Fuzzy Hash: 496ee930c950d889dfa2aaa45aeb85bb9833b14aad26341094c6a787c45eaec0
Instruction Fuzzy Hash: EE4165B8D002589FCB10DFA9D984A9EFBB5FF09310F14942AE818B7210D375A942CBA4

Function 02980638 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 029819E9

Strings

Rb, xrefs: 0298195A

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Rb
API String ID: 983334009-1629373818
Opcode ID: 7e2287f065bf89e2d79d1a3088e9b7e94fe94b9016f17cc0d83fc28e73bd4f33
Instruction ID: 0ff2a78d66a047497bafe31f0bf9e47ca0e196a4e45908b0e935f559ff9c88cc
Opcode Fuzzy Hash: 7e2287f065bf89e2d79d1a3088e9b7e94fe94b9016f17cc0d83fc28e73bd4f33
Instruction Fuzzy Hash: E741BCB4D012589FCB10DFA9D984ADEBBF0BF09310F14806AE418B7210D379A946CFA4

Function 029805D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 029819E9

Strings

Rb, xrefs: 0298195A

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Rb
API String ID: 983334009-1629373818
Opcode ID: 7d5e5b234725725f54f0eb1a292929fc6aa82111b22fbbeada807af00684e149
Instruction ID: 08aae672e2b2647d0f8414ecde4e7a0744579fe9753d9238d642c2d276c9f057
Opcode Fuzzy Hash: 7d5e5b234725725f54f0eb1a292929fc6aa82111b22fbbeada807af00684e149
Instruction Fuzzy Hash: B2419BB4D012589FCB10DFAAD984ADEFBF5BB49310F14802AE418B7310D379A946CFA4

Function 02980644 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 029819E9

Strings

Rb, xrefs: 0298195A

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Rb
API String ID: 983334009-1629373818
Opcode ID: a54fb1c4fa1e4ec1c6d5c9a87371e38bd18e535c27f824ebefc75c54d6198edd
Instruction ID: 15616902f4fe12445b6330f1423d9a66f4f4cd2a018578d884fe66bf54ad42ba
Opcode Fuzzy Hash: a54fb1c4fa1e4ec1c6d5c9a87371e38bd18e535c27f824ebefc75c54d6198edd
Instruction Fuzzy Hash: 67419BB4D012589FCB10DFAAD984ADEFBF4BB49310F14802AE418B7310D379A946CFA4

Function 02981930 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 029819E9

Strings

Rb, xrefs: 0298195A

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Rb
API String ID: 983334009-1629373818
Opcode ID: f4193e479ea9ca104b6636771895177a0c51ad64a44ff693b8cea9a5f25bf841
Instruction ID: 38abbed191204f9b8c55877675f9e94a2aac7380cd0e637f38485ebe910dd996
Opcode Fuzzy Hash: f4193e479ea9ca104b6636771895177a0c51ad64a44ff693b8cea9a5f25bf841
Instruction Fuzzy Hash: 5E419CB4D012589FCB10CFA9D584ADEFBF1BB49310F14802AE458B7250D379A946CF65

Function 0298065C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(00000000), ref: 02982445

Strings

Rb, xrefs: 029823E5

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: ResumeThread
String ID: Rb
API String ID: 947044025-1629373818
Opcode ID: d5c2e90ac54a09429b7ffa40b79593912419ca7f6936eb5efd604ea67b1da531
Instruction ID: af35b23e69145e9d7315a59b690bebd2d1586f02eaeda89ffab0d9cefc4569c9
Opcode Fuzzy Hash: d5c2e90ac54a09429b7ffa40b79593912419ca7f6936eb5efd604ea67b1da531
Instruction Fuzzy Hash: FC3188B4D012589FCB10DFA9E584A9EFBF4FB09310F14946AE918B7310D775A941CFA4

Function 029823C1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(00000000), ref: 02982445

Strings

Rb, xrefs: 029823E5

Memory Dump Source

Source File: 00000000.00000002.2055130185.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2980000_JHGFDFG.jbxd

Similarity

API ID: ResumeThread
String ID: Rb
API String ID: 947044025-1629373818
Opcode ID: 63eacaf1299ef7eccbc9466ce64facfb1204955bdd42efbcfd8525d248aee96e
Instruction ID: e460cf34f14d6f5c5398408ad6349084ccac99fa0b019ade246dd18b7ddc679e
Opcode Fuzzy Hash: 63eacaf1299ef7eccbc9466ce64facfb1204955bdd42efbcfd8525d248aee96e
Instruction Fuzzy Hash: 703198B8D012589FCB10CFA9E584A9EFBF4BF09310F14906AE818B7310C775A945CF64

Analysis Process: RegAsm.exePID: 4480, Parent PID: 5512COMMON

Executed Functions

Function 015B19B8 Relevance: 8.5, Strings: 6, Instructions: 971COMMON

Download Yara Rule

Strings

Xaq, xrefs: 015B1B7C
Xaq, xrefs: 015B2C95
Xaq, xrefs: 015B1B2F
Xaq, xrefs: 015B2CBE
Xaq, xrefs: 015B1AB0
Xaq, xrefs: 015B1A76

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 3495cb1c83c6f8d29ca72b021982c38e551e4203a207ca6cf05e351a67982a49
Instruction ID: a310a95e413316e6006e8c6cd44b86ea3530f9b1dfb5596721134faf98243a89
Opcode Fuzzy Hash: 3495cb1c83c6f8d29ca72b021982c38e551e4203a207ca6cf05e351a67982a49
Instruction Fuzzy Hash: BD7250366883558FC7918F25A4D01D4BBE1FF9123172884AECDC48E156D73E688EEB71

Function 015BC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 015BF910

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 511eb2f7ff27fd0e49227cba75aa0cf5acc4cfa33a0d0c93f19e8087e8fee69c
Instruction ID: 11408a4163904b16d7b25aaac910b95ae78c863f571eb58f07737cd58703e546
Opcode Fuzzy Hash: 511eb2f7ff27fd0e49227cba75aa0cf5acc4cfa33a0d0c93f19e8087e8fee69c
Instruction Fuzzy Hash: D873D731C1065A8EDB11EF68C854AEDFBB1FF95300F51D69AE4486B221EB70AAD4CF41

Function 015B2DD1 Relevance: 2.8, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

Xaq, xrefs: 015B2E0F
$]q, xrefs: 015B2DF6

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 7e19175260968e7dbbc0123cfed1aeac1776fc99da06784df31a52a8721dc997
Instruction ID: da634c753bfb43d2fab8eb080c86a6aa46ebd7f7771abc6893d0c98013935b01
Opcode Fuzzy Hash: 7e19175260968e7dbbc0123cfed1aeac1776fc99da06784df31a52a8721dc997
Instruction Fuzzy Hash: DA91A631B002599BDF58DF78989427EBBB7BFC8710B15892DE406EB288DE35C806D791

Function 015B9480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ce9e64418d59c81124a3411f2abe4f827152a41e1839db41ab9f8a8e0657b5
Instruction ID: 23f3920ca0193c12c33b2929903cd12ee0d03cd8d1c8064dbed49568c9da2cce
Opcode Fuzzy Hash: 51ce9e64418d59c81124a3411f2abe4f827152a41e1839db41ab9f8a8e0657b5
Instruction Fuzzy Hash: 2FC1AE74E00218CFDB14DFA5D984BADBBB2BF88305F1090A9D809AB355DB359A85CF11

Function 015BC521 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee472356d2e3ed03b854cadd671fbfb3c399ba62a41260c2ccfc6d8b1eae5d33
Instruction ID: abc2dd83d7f80d3554ce99d8fa3ad4bf88940204acda35dae33064a4be2a4dcd
Opcode Fuzzy Hash: ee472356d2e3ed03b854cadd671fbfb3c399ba62a41260c2ccfc6d8b1eae5d33
Instruction Fuzzy Hash: 9EA12A71D016198EDB15DFA9C8847EDFBB1FF89300F14C6AAE4186B261EB709A84CF41

Function 015B9A30 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1459343ee59d942257d583fa2bf4820a886992ba156864427405aaa15db4bcb6
Instruction ID: fc468a9edf4c71be0d8066d96c6c26d80cc3ddfbe06109da819541359169164c
Opcode Fuzzy Hash: 1459343ee59d942257d583fa2bf4820a886992ba156864427405aaa15db4bcb6
Instruction Fuzzy Hash: 0CA10570D00209CFEB14DFA9C598BDDBBB1FF88305F208269E519AB2A1DB749985CF51

Function 015B9D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3d35260bf5fd3d9f59906b1136689fe88a86ab297904ae7fac78beb43d3e98
Instruction ID: 17feababb96aa2e872c97ee639508abf367133a58fe284c253fa9574647dafd5
Opcode Fuzzy Hash: fa3d35260bf5fd3d9f59906b1136689fe88a86ab297904ae7fac78beb43d3e98
Instruction Fuzzy Hash: 9491F4B0D00208CFEB10DFA8C988BDDBBB1FF49315F209269E519AB291DB749985CF15

Function 015B946F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f23bf6f116b5d491dc6306afcddceb0af365c923001b60ce4952b8ce42f444f
Instruction ID: 1147ccfbd518fa9f0f7b5f01f4b9f36c91f9dec7293309e5723d49e4d5b85919
Opcode Fuzzy Hash: 7f23bf6f116b5d491dc6306afcddceb0af365c923001b60ce4952b8ce42f444f
Instruction Fuzzy Hash: 5A41E5B4E01208CBDB18CFAAD8546EDBBF2BF88305F24D029D915AB255EB399945CF50

Function 015BB500 Relevance: 6.6, Strings: 5, Instructions: 380COMMON

Download Yara Rule

Strings

8bq, xrefs: 015BB941
TJbq, xrefs: 015BB97A
Haq, xrefs: 015BB749
Haq, xrefs: 015BB6EA
Haq, xrefs: 015BB54E

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: 8bq$Haq$Haq$Haq$TJbq
API String ID: 0-1597716666
Opcode ID: 75b470a614f8d1306489484559f6bc4559d82b00c3bde011e97e05b35d699a61
Instruction ID: 30249f0ca449ba1951efb0133402e6f912687b043901be41a69579c7c82815c9
Opcode Fuzzy Hash: 75b470a614f8d1306489484559f6bc4559d82b00c3bde011e97e05b35d699a61
Instruction Fuzzy Hash: 5ED1BE30B042058FDB15DF6CC890AAE7BA6FF89320F244569E506EF3A1DA75DC42CB91

Function 015B3F78 Relevance: 6.4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 015B4088
0o@p, xrefs: 015B3FDA
PH]q, xrefs: 015B40E1
PH]q, xrefs: 015B40F2
Lj@p, xrefs: 015B4078

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: fde0e9b7405667a6ba1e6369f4fa7e33a918ff7db747d3b2a7bce1cef2a2d5a4
Instruction ID: 2f002927d31c10796ff1ae31bd127135207621c510261eeed03b7b6477977db3
Opcode Fuzzy Hash: fde0e9b7405667a6ba1e6369f4fa7e33a918ff7db747d3b2a7bce1cef2a2d5a4
Instruction Fuzzy Hash: 5A51C274E002089FDB58DFA9D5849EDBBF2BF89310F108469E816AB364DB349846CF10

Function 015BAD3D Relevance: 5.6, Strings: 4, Instructions: 560COMMON

Download Yara Rule

Strings

, xrefs: 015BB065
Haq, xrefs: 015BB1D3
Haq, xrefs: 015BB239
Haq, xrefs: 015BB206

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: $Haq$Haq$Haq
API String ID: 0-432640594
Opcode ID: 7b59029c7f87f9714e7710a9c0d10116d2954c3508ef1607b65cc4c23dd2ea50
Instruction ID: 9afe28eebd36cf3803a3939ef097b5bfae4d74d8e0bc2683ad998563d613f84f
Opcode Fuzzy Hash: 7b59029c7f87f9714e7710a9c0d10116d2954c3508ef1607b65cc4c23dd2ea50
Instruction Fuzzy Hash: 65A19E307002199FDB269F7898986BE7FA2FF85320F14862AE9268B3D1DF759D01C751

Function 015BB869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8bq, xrefs: 015BB941
TJbq, xrefs: 015BB97A

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: dd76ef3ac834aca8586c9bdec14ade321e92161047b3a5dc56ad8b16f6e35cfe
Instruction ID: 8c3feb10eb2bb7ff2ea764c010824628c704b4879d41f0f76d8657dcf390de7d
Opcode Fuzzy Hash: dd76ef3ac834aca8586c9bdec14ade321e92161047b3a5dc56ad8b16f6e35cfe
Instruction Fuzzy Hash: 1331F235B001098FCB45DBA8C591EDEBBB6FF88220F195454E505AF365CB71EC45CB90

Function 015BB89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8bq, xrefs: 015BB941
TJbq, xrefs: 015BB97A

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: 8bq$TJbq
API String ID: 0-3440557903
Opcode ID: e08f660b54156381f235e6caa60789eff4e751089921c82dd3e47a29ffee9cbd
Instruction ID: e883701238142569eab4807e2d0772dbab74afe4a9b786880a279e37ea131b2c
Opcode Fuzzy Hash: e08f660b54156381f235e6caa60789eff4e751089921c82dd3e47a29ffee9cbd
Instruction Fuzzy Hash: 0531F135B401098FCB45DBA8C590EDEBBB6FF88220F195454E505AF3A5CA71EC86CB90

Function 015B0B20 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

LR]q, xrefs: 015B0B62

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 7802c56af5de01d778cd37881a5e31fe7fc541d41a57e57c076ae49b9b2a746c
Instruction ID: 5a8f329685346e4c9dabd0d57d240c6fee9b746f6056f46261ee3a8444a08ad4
Opcode Fuzzy Hash: 7802c56af5de01d778cd37881a5e31fe7fc541d41a57e57c076ae49b9b2a746c
Instruction Fuzzy Hash: 3AA13170A0020ACFCB15DFA8E9949EEBBB9FF89306F109165D405AB365DB389D45CF81

Function 015B0B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR]q, xrefs: 015B0B62

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 606e67ce5a9b68c41c43184fb627adcc48df3d045b4c8c316458bd7d12928a6d
Instruction ID: 055be4cc58f0719030d29502e7cac894ddb557947187b471fd1530cb3ecdd4ef
Opcode Fuzzy Hash: 606e67ce5a9b68c41c43184fb627adcc48df3d045b4c8c316458bd7d12928a6d
Instruction Fuzzy Hash: DFA11174A0020ACFCB14DFA8E9949EEBBB9FF88302F109565D415AB365DB386D45CF81

Function 015BBDD9 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

Haq, xrefs: 015BBE36

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 2343c70af9a06854c295c45cf01cee04d1ac34377567fcb957d800922c9d9bde
Instruction ID: b702530b0a0f72cf1c3cde208ace166a322c0106bc93bb727cc062353dba24fd
Opcode Fuzzy Hash: 2343c70af9a06854c295c45cf01cee04d1ac34377567fcb957d800922c9d9bde
Instruction Fuzzy Hash: BE21A3306042099FC709DF68D995BAE7FB6FF95301F25806ED5058B3A5DE719D02CB90

Function 015BBD01 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Haq, xrefs: 015BBD2D

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 3af6a2e94a2d3c10a035e9502a816cd18417271447f426240a4394e49b4607c5
Instruction ID: b1b18d4a8dd1ccf8448f8034e1891cb4c938264c79a8b52be8ebc7b101f6d16b
Opcode Fuzzy Hash: 3af6a2e94a2d3c10a035e9502a816cd18417271447f426240a4394e49b4607c5
Instruction Fuzzy Hash: F4214D71B001099FCB44EFB8D895ABE7BF6FF88300B104469E519DB295DE349E02CB90

Function 015BBF6F Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955737b43d9e611dfeb8e1cd5487437bf81c68aecd7970372109ca5afa5606d5
Instruction ID: d34e8a79ab60d00c0d876ab937f2e961668971be8582af7a9a2d5d9a89775121
Opcode Fuzzy Hash: 955737b43d9e611dfeb8e1cd5487437bf81c68aecd7970372109ca5afa5606d5
Instruction Fuzzy Hash: 4C51C272B002099FCB149A7DD894AAEBBE9FBC9324F14853AE529DB750D631D80187A4

Function 015B3158 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f145f06ae0be09863bd18726d9e1b67820f34bde40dd14a706a549531921203
Instruction ID: 52534feaeaa9041642114595ab5337c74320f018532ac1de22c3b632674c11ee
Opcode Fuzzy Hash: 3f145f06ae0be09863bd18726d9e1b67820f34bde40dd14a706a549531921203
Instruction Fuzzy Hash: 2941B375E012099FCB48DFAAD8949DDBBB2FF89310F249429E405BB364DB349845CF10

Function 015B3168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f6edf471a41024327caf78aec15500a3a8675aca9aeea0daed6a3dd59f9a27
Instruction ID: 4e708bf0d709eaf733469d0027803f0176c571692fa5d59a9eb90dc4b7566d6f
Opcode Fuzzy Hash: e6f6edf471a41024327caf78aec15500a3a8675aca9aeea0daed6a3dd59f9a27
Instruction Fuzzy Hash: 0F41B174E012098FCB58DFAAD8949DEBBF2BF89310F249429E805BB364DB349845CF14

Function 015B9249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca394921fc47a57f1edf6a4bbced34a447acede451f6447cdf638ea5a3ebf21d
Instruction ID: 4ae74ed5f2f56805854c33a8d3afb3eb0617d48f9244643465fc363942d5a574
Opcode Fuzzy Hash: ca394921fc47a57f1edf6a4bbced34a447acede451f6447cdf638ea5a3ebf21d
Instruction Fuzzy Hash: C231AC7053664E8FD2412F61A5EF27ABFA2FB4F3A7B046C11F92A81515BF30A4849B50

Function 015B18C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b814ddd21c51a57b02bfd1b0bec22704ccb5cbd5004422f33c9dfed57e2ae46
Instruction ID: 8077f1de08068a955fb9e4958120a94eaf47a9bf5747df387c6a0496efacadb3
Opcode Fuzzy Hash: 2b814ddd21c51a57b02bfd1b0bec22704ccb5cbd5004422f33c9dfed57e2ae46
Instruction Fuzzy Hash: 5A21B031A006469FCB54CF68D4909FE37A5FB88264F14C419D80E9B240EB34EA0ACBC2

Function 0151D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3297902173.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_151d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9c26d6b1eceb7ab82a656433e32af096a57b13302f95c785a6111c8810a06b
Instruction ID: 44cd03ef3f8f37f66eb83bb1820f3f2b7e19b289faeebff844f5936792a648ef
Opcode Fuzzy Hash: 3d9c26d6b1eceb7ab82a656433e32af096a57b13302f95c785a6111c8810a06b
Instruction Fuzzy Hash: FA214275504200DFEB12CF98C9C8B26BBB5FB84314F20CA6DD8090F25AD33AD846CA62

Function 015B0EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761c10096aff1e77adf01d765452e4ceec818d3a69f7882f2a4c80c0e177fd91
Instruction ID: 1f8a4bc1e3ad97e3e8ee4a364c7c4b4b47a9c2e991b67c727cb3fa3eab22eee1
Opcode Fuzzy Hash: 761c10096aff1e77adf01d765452e4ceec818d3a69f7882f2a4c80c0e177fd91
Instruction Fuzzy Hash: FE215E70E442099FEB0AEFB8C4546AEBBB6FF85304F10C4A994149F294DB784945CF51

Function 0151D006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3297902173.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_151d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dd8fbfc29929b13d724b353d81eb7a69b8d04149469fcb710cbb077971a281
Instruction ID: 03f3390fba0c1da43752847da93f52f9b1507e185c3deece8a2787d7e108cf1d
Opcode Fuzzy Hash: 51dd8fbfc29929b13d724b353d81eb7a69b8d04149469fcb710cbb077971a281
Instruction Fuzzy Hash: C7216B755093C08FDB13CF64C994715BF71AB46214F29C5EBC8898F2A7C23A984ACB62

Function 015BBB37 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ea1b6a6cd24cc39befff45251eeffaf7bab5b684e72aa32b83ef3018200ffd
Instruction ID: 5eb35a93fe7e4ac3d8fc514258641605ac5f441082fc3e5dad28e605bd208217
Opcode Fuzzy Hash: b7ea1b6a6cd24cc39befff45251eeffaf7bab5b684e72aa32b83ef3018200ffd
Instruction Fuzzy Hash: F2117C767002008FD724DF69D998A9AB7E6FF88721B14846EE549CF365CA71DC05CB10

Function 015B17B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767ee4e664160df9c5c6cc4ad29696d850a84fa606c3c1fa689d4f9be6c57acd
Instruction ID: 0a6ea8d036d72d728be4b3c151711618afb75dc982c6155be480d702a78f2e2b
Opcode Fuzzy Hash: 767ee4e664160df9c5c6cc4ad29696d850a84fa606c3c1fa689d4f9be6c57acd
Instruction Fuzzy Hash: AA214570D0460A8FCB50DFA8D8805EEBFB0FF4A310F04516AD405BB215EB344A94CBA1

Function 015BC108 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cebb87970f87fae88e3603d5fa5c6f03df2201e1200bbec183510833e0acd9
Instruction ID: 4f8a13ad3e7a046fa4cd455407b44d7c08d058c3bc291b44bbfc9f8d8e2bc488
Opcode Fuzzy Hash: 56cebb87970f87fae88e3603d5fa5c6f03df2201e1200bbec183510833e0acd9
Instruction Fuzzy Hash: 52114C75E0021A8BCB50EFB884945EEBFF5BF88251B444539D509BB200DA31DC428BE5

Function 015B4850 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7797761509d2ae451f898c7be13d07a089b2eab7c8eabe51a44666279c1c7d1
Instruction ID: db5142f1e4f1737e7c1e3df3d61274d21d7588bcf88439c16589d255a2406591
Opcode Fuzzy Hash: f7797761509d2ae451f898c7be13d07a089b2eab7c8eabe51a44666279c1c7d1
Instruction Fuzzy Hash: 4101F532B003015FD7359F7D889466E77EAAF84659315447DD90ACB315FE31C802CB92

Function 015B4860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8be605583a1991fd4a1343a285aca8776b5cff427d65f1a7194809c2560221d
Instruction ID: 9b7bd7bb9e5156e3ee12a01ca70e299f31fea985514ea2d8ba3f18cb5f2ca468
Opcode Fuzzy Hash: f8be605583a1991fd4a1343a285aca8776b5cff427d65f1a7194809c2560221d
Instruction Fuzzy Hash: 4E01A232B002114FD734AE7D889456E77EBAFC45653104539D90ACB315FE71C8028B92

Function 015BA508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaf8503e32927961e778e3076854d386f8f3495522f0023f91ea421e437177b
Instruction ID: 44d155ee53c0785778f91f4968da7694761db6b82586c9a210bffb466cc089ea
Opcode Fuzzy Hash: adaf8503e32927961e778e3076854d386f8f3495522f0023f91ea421e437177b
Instruction Fuzzy Hash: A6012975A1021D9FCF549F69D8495EE7FB6FB88211F00442AED5A97281EF309E108BA1

Function 015BBB48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58c7423e8fd0d489acc30a643ed49b0a47921facc3dbf27362664c1e3d9a736
Instruction ID: afc1c3606bfefe2965c737f1c791239dea9cea33480117d8f9f879a5bddf0c74
Opcode Fuzzy Hash: d58c7423e8fd0d489acc30a643ed49b0a47921facc3dbf27362664c1e3d9a736
Instruction Fuzzy Hash: F6015A713002048FD725DB6AD994F5AB7F5FF88721F108469E1498F365CAB0EC04CB50

Function 015BBEE9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58be78e3f2bcc84fc77e25dc9f7304bbf2546370824779d0862b7246640972a3
Instruction ID: 7b8df962ba1dd32cb1f4c27b5ef19476b72134ad5769c43d0ef8cbc4ee03229b
Opcode Fuzzy Hash: 58be78e3f2bcc84fc77e25dc9f7304bbf2546370824779d0862b7246640972a3
Instruction Fuzzy Hash: F40121322002488BC7046F78985E6BE3F96EFCA311F14006EE90BCB282DE76C902CB44

Function 015BA4F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b73ba88a19dc7b828bdd6842febb4b154b082e68f262655487609441321e066
Instruction ID: 48cb476f2fa84cbfe75fb0458fe3f05d6482add08e1e866eb2a1384b2406427a
Opcode Fuzzy Hash: 0b73ba88a19dc7b828bdd6842febb4b154b082e68f262655487609441321e066
Instruction Fuzzy Hash: D2017171A1010A9FCF10DFA8D8489EE7FB6FB88310B00452AFD59D3240DB309A10CB91

Function 015BBC98 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aaf579dae41318a05131d6d5d5091b9b103afe2f5a226b1cce29f1b391411fa
Instruction ID: f17f7088719e21a90fc303b4b006872f730b402d9758a0309e7786816f2b665e
Opcode Fuzzy Hash: 3aaf579dae41318a05131d6d5d5091b9b103afe2f5a226b1cce29f1b391411fa
Instruction Fuzzy Hash: 94F0B43130424607C716A778D4552EE3FA6EFD6219B1805FD995DCF342DC66C8078790

Function 015BC1A0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856fce68e0f5e53701680d9213bbffbcd3f1d6d2330b976d7b01611036cdd750
Instruction ID: 071b621bd12235c4d01c0fe1ed4d337c63ba6479b07336e8ea114b473c54d90c
Opcode Fuzzy Hash: 856fce68e0f5e53701680d9213bbffbcd3f1d6d2330b976d7b01611036cdd750
Instruction Fuzzy Hash: 1EF05476B005128FDB159B7DA4546AE77E5FBC4221B14407AE509DF350CF75D802C754

Function 015BBD78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a6d45cc8648b8bc54d957a5ae0a18dce644277207ebf0ed661977ba3e069a1
Instruction ID: e2a00e7190abd533ce5c3c3d4cda7086508743070982108c63126f85993261e4
Opcode Fuzzy Hash: 60a6d45cc8648b8bc54d957a5ae0a18dce644277207ebf0ed661977ba3e069a1
Instruction Fuzzy Hash: 08F04F72A00109AFCB40EFA9D8449FF7BF9FF88210B004069F519D7211DA34D9118BA1

Function 015BBE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e4d2fb8d117d32d0383b88d20dfd866ed8a13fe089768f9afb6561bf779b2d
Instruction ID: 2524b8d5aea54264d4b3a9b37fb4f9d86e7f7c57e4161cd60206aa31e2fa1bce
Opcode Fuzzy Hash: 08e4d2fb8d117d32d0383b88d20dfd866ed8a13fe089768f9afb6561bf779b2d
Instruction Fuzzy Hash: B2F03A353005059FC700CF59D488D6ABBEAFF887207544069EA098B331CB71AC11CB80

Function 015BB9EB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0e3b4809781d7cf4aa1278f2947ff1b669f96f0688a0e5fbec0ac79fc442ed
Instruction ID: 27ae768c08944198f2b23bdc1338dd79fc2c727291db32ec937da799810e734f
Opcode Fuzzy Hash: fc0e3b4809781d7cf4aa1278f2947ff1b669f96f0688a0e5fbec0ac79fc442ed
Instruction Fuzzy Hash: 28F0B4B6E01205AFCB50DFA9D981ADFBBF5FF48250B14453AD509E3204D6309905CBE1

Function 015B46C9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc2d388d5a4bf0efe140d077e7badce8422eeade8ed80c54dd639eabc2570ec
Instruction ID: a855f1d08f3c48a8caa63598cf6965d6f75c6cafb78b00ddad257fd5b859e351
Opcode Fuzzy Hash: 4bc2d388d5a4bf0efe140d077e7badce8422eeade8ed80c54dd639eabc2570ec
Instruction Fuzzy Hash: B1F0AC340753028FD3266F24E4AC27D7B71FF4B317B066D55E02AC901AEB710059DB54

Function 015B46D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eacf0b83752a5440064c931a17280445f00cb275cf9f8318ed67bfb4a3167612
Instruction ID: c60aaa58b78b7e34ad04c8ee29c6efd7399a636f94b1c7543c61ca51960b1b51
Opcode Fuzzy Hash: eacf0b83752a5440064c931a17280445f00cb275cf9f8318ed67bfb4a3167612
Instruction Fuzzy Hash: B2E002740727068FD3322F64B5AC27E7A65FB8B317B466D00E12EC9019EF754458EB54

Function 015B1877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdff9d96922b0a882e8290f8570ae1fd5de2c3de04f8b5b2c7f49ece88d73897
Instruction ID: 1fbc60c8a15c14525a33cf63ebe35a0a990fc927a625a8fa0c5c024f490dfbdd
Opcode Fuzzy Hash: cdff9d96922b0a882e8290f8570ae1fd5de2c3de04f8b5b2c7f49ece88d73897
Instruction Fuzzy Hash: 39E092319113668ECB13ABB0D8044DEBB30EE8331475542A7D118AB050EB35154AC7A1

Function 015B1888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680c89c74604eff8bd24e6c3d2c7a752d1692e71b0dd2956b43e9382118a8c4c
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 680c89c74604eff8bd24e6c3d2c7a752d1692e71b0dd2956b43e9382118a8c4c
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 015BBF48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa141572e90d33a1ae94d6cd75d415fef012a30ac7de0f8d24749e33df05adc
Instruction ID: 4fda4af060fc35b5839c8567d11c47b554e7bdaf0fa0dfe250a0da90023a7032
Opcode Fuzzy Hash: 2aa141572e90d33a1ae94d6cd75d415fef012a30ac7de0f8d24749e33df05adc
Instruction Fuzzy Hash: D5D0C736311118A74B052A49A8098AE7F5EEBCD7717048026FD1583340CE719D1197E5

Function 015B4831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef62f54abc6e1867efb60763647b15336158bb4d1e312f9985b0b12f6d7b6913
Instruction ID: 8608c635689c16348d6a0a2f72c68899b4bd94cf4c955f0f5e56522a177f90ac
Opcode Fuzzy Hash: ef62f54abc6e1867efb60763647b15336158bb4d1e312f9985b0b12f6d7b6913
Instruction Fuzzy Hash: BBC04C3244D3C05FCB2B8B7098661557BB0BA1731571514EEC051C6057EA695405C711

Non-executed Functions

Function 015B1A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

Xaq, xrefs: 015B1B7C
Xaq, xrefs: 015B1B2F
Xaq, xrefs: 015B1AB0
Xaq, xrefs: 015B1A76

Memory Dump Source

Source File: 00000001.00000002.3298129652.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15b0000_RegAsm.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 04cd60e39588b63e5c8cd4ec6f3d8c873d0dbf3130774454a34afd0eaa06af6b
Instruction ID: 5794e4aebd335204294b78331cc7b93ac97c6e7dd23b64db4d0f5f844537098f
Opcode Fuzzy Hash: 04cd60e39588b63e5c8cd4ec6f3d8c873d0dbf3130774454a34afd0eaa06af6b
Instruction Fuzzy Hash: 6E317330D0061A8BDFA58FAD95D03EEBAF6BF84310F1440A9C515AB255EF70C985CB92

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JHGFDFG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JHGFDFG.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
JHGFDFG.exe

Function 029805B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 346
processCOMMON

Function 029805BC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 341
processCOMMON

Function 0298131D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 341
processCOMMON

Function 0298056B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139
COMMON

Function 02980620 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
injectionCOMMON

Function 0298062C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Function 02982039 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
injectionCOMMON

Function 029805F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
COMMON

Function 029805FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Function 02980608 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
memoryCOMMON

Function 02981AC1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Function 02981CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
memoryCOMMON

Function 02980614 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Function 02980638 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
threadCOMMON

Function 029805D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
threadCOMMON