Play interactive tour

Edit tour

Analysis Report SlaZL2LqI2.exe

Overview

General Information

Sample Name:	SlaZL2LqI2.exe
Analysis ID:	344543
MD5:	9e3469f024cd186e3685505b7d2e4412
SHA1:	2e3b115a155e10fc2dfe822ed6a7d6c03d1702fd
SHA256:	14d9c9f0dbe84637aad5dca71f874b7fd2c11e7b476c4da126090c23b8e95536
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SlaZL2LqI2.exe (PID: 4724 cmdline: 'C:\Users\user\Desktop\SlaZL2LqI2.exe' MD5: 9E3469F024CD186E3685505B7D2E4412)

AddInProcess32.exe (PID: 3560 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

WerFault.exe (PID: 4860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 172 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bbc", "KEY1_OFFSET 0x1d720", "CONFIG SIZE : 0xb5", "CONFIG OFFSET 0x1d823", "URL SIZE : 22", "searching string pattern", "strings_offset 0x1c363", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa9c3744d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01549", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "heteltht.com", "transbordaquemultiplica.com", "ispartakulecleaner.com", "woodcutter.website", "gy88api8888.com", "forsagemagic.com", "greenqobbler.com", "piligame.com", "pcbet333.com", "superpuzzlegames.com", "jameslearyrealestate.com", "acmarketinghacks.com", "world-travel.xyz", "sprayfoampocatello.com", "anshangbao.com", "qacpilotacademy.com", "aodaicali.com", "aarusystems.com", "potion-designs.com", "bajaenvocho.com", "ourwfh.com", "upliftfurnitureconcepts.com", "almurasilnews.com", "thestillmancowboyhats.com", "blessedparfum.com", "brandceowd.com", "dekenchar.com", "leaseplein.com", "riverandrailga.com", "smartbandbtraders.com", "www-instagramhelpcenter.com", "maneinstinct.com", "jennifer-jones.com", "exonmobilerewardsplua.com", "westgateoptometry.net", "cornelldevelopment.com", "grhkj.com", "authenicblackculture.com", "feriavirtualdelibros.com", "mountresonant.life", "shopcelebratory.com", "juliaaiz.art", "fiveminutefixers.net", "limonseltzer.com", "skinsworldtrade.com", "xn--vhqqb70qmrhwmvnh0e.xyz", "rangers3.xyz", "meixia.space", "xn----7sbncclroqxy.xn--p1acf", "cindybakerdesigns.com", "ccheapvrshop.com", "ymoac.com", "well-being.international", "ymdycrea.net", "bowlboo.com", "marikajboutique.com", "ckhomecare.com", "meimingvip.com", "dwicans-8.info", "downtoearthdiner.com", "nantoeas.club", "mugephoto.com", "bestey.com", "opinnovatesmx.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.vitajwb.com/irux/\u0000"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26db8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x27022:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x82f8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x831f4:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb086a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb0ad4:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xde13a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xde3a4:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x32b45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8ed17:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbc5f7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe9ec7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x32631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8e803:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbc0e3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe99b3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x32c47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8ee19:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbc6f9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe9fc9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x32dbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x358d9:$sqlite3step: 68 34 1C 7B E1 0x359ec:$sqlite3step: 68 34 1C 7B E1 0x91aab:$sqlite3step: 68 34 1C 7B E1 0x91bbe:$sqlite3step: 68 34 1C 7B E1 0xbf38b:$sqlite3step: 68 34 1C 7B E1 0xbf49e:$sqlite3step: 68 34 1C 7B E1 0xecc5b:$sqlite3step: 68 34 1C 7B E1 0xecd6e:$sqlite3step: 68 34 1C 7B E1 0x35908:$sqlite3text: 68 38 2A 90 C5 0x35a2d:$sqlite3text: 68 38 2A 90 C5 0x91ada:$sqlite3text: 68 38 2A 90 C5 0x91bff:$sqlite3text: 68 38 2A 90 C5 0xbf3ba:$sqlite3text: 68 38 2A 90 C5 0xbf4df:$sqlite3text: 68 38 2A 90 C5 0xecc8a:$sqlite3text: 68 38 2A 90 C5 0xecdaf:$sqlite3text: 68 38 2A 90 C5 0x3591b:$sqlite3blob: 68 53 D8 7F 8C 0x35a43:$sqlite3blob: 68 53 D8 7F 8C 0x91aed:$sqlite3blob: 68 53 D8 7F 8C 0x91c15:$sqlite3blob: 68 53 D8 7F 8C 0xbf3cd:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x88e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x956a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17409:$sqlite3step: 68 34 1C 7B E1 0x1751c:$sqlite3step: 68 34 1C 7B E1 0x17438:$sqlite3text: 68 38 2A 90 C5 0x1755d:$sqlite3text: 68 38 2A 90 C5 0x1744b:$sqlite3blob: 68 53 D8 7F 8C 0x17573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa2ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa524:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37b78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37de2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16047:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x43905:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b33:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x433f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16149:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x43a07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x162c1:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x43b7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaf3c:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x387fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14dae:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x4266c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbc35:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x394f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1beb9:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x49777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cebc:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18ddb:$sqlite3step: 68 34 1C 7B E1 0x18eee:$sqlite3step: 68 34 1C 7B E1 0x46699:$sqlite3step: 68 34 1C 7B E1 0x467ac:$sqlite3step: 68 34 1C 7B E1 0x18e0a:$sqlite3text: 68 38 2A 90 C5 0x18f2f:$sqlite3text: 68 38 2A 90 C5 0x466c8:$sqlite3text: 68 38 2A 90 C5 0x467ed:$sqlite3text: 68 38 2A 90 C5 0x18e1d:$sqlite3blob: 68 53 D8 7F 8C 0x18f45:$sqlite3blob: 68 53 D8 7F 8C 0x466db:$sqlite3blob: 68 53 D8 7F 8C 0x46803:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.AddInProcess32.exe.760000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.AddInProcess32.exe.760000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.AddInProcess32.exe.760000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.AddInProcess32.exe.760000.1.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbc", "KEY1_OFFSET 0x1d720", "CONFIG SIZE : 0xb5", "CONFIG OFFSET 0x1d823", "URL SIZE : 22", "searching string pattern", "strings_offset 0x1c363", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa9c3744d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01549", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Show sources

Source: SlaZL2LqI2.exe	Virustotal: Detection: 31%			Perma Link
Source: SlaZL2LqI2.exe	ReversingLabs: Detection: 30%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: SlaZL2LqI2.exe

Joe Sandbox ML: detected

Source: 2.2.AddInProcess32.exe.760000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: SlaZL2LqI2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: SlaZL2LqI2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: AddInProcess32.pdb source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.259208534.0000000002E0A000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.259374983.0000000002DF6000.00000004.00000001.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, 00000002.00000002.351711193.0000000000392000.00000002.00020000.sdmp, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000005.00000003.261041308.0000000005011000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_077266A4
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_07727128
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07727128
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov esp, ebp	0_2_0772DF78
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then jmp 077226EEh	0_2_07721F18
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_07726E08
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07726E08
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_07727898
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_0772711C
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_0772711C
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then xor edx, edx	0_2_07727060
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then xor edx, edx	0_2_07727054
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_07726DFC
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_07726DFC
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_07726924
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_077289B8

Networking:

Source: SlaZL2LqI2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SlaZL2LqI2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SlaZL2LqI2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SlaZL2LqI2.exe, 00000000.00000002.253723358.0000000001590000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: SlaZL2LqI2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SlaZL2LqI2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SlaZL2LqI2.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SlaZL2LqI2.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SlaZL2LqI2.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SlaZL2LqI2.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1?E
Source: SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g?E
Source: SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj?E
Source: SlaZL2LqI2.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SlaZL2LqI2.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SlaZL2LqI2.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SlaZL2LqI2.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: SlaZL2LqI2.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.comT

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Code function: 0_2_06856EE8 CreateProcessAsUserW,

0_2_06856EE8

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0185C961	0_2_0185C961
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_01852809	0_2_01852809
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0185306B	0_2_0185306B
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0185EB8B	0_2_0185EB8B
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0185B5D0	0_2_0185B5D0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_01856D78	0_2_01856D78
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0185D458	0_2_0185D458
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_01856743	0_2_01856743
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_01859E80	0_2_01859E80
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0185C318	0_2_0185C318
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06850A28	0_2_06850A28
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06858648	0_2_06858648
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06853F40	0_2_06853F40
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06853810	0_2_06853810
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06850040	0_2_06850040
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06851D50	0_2_06851D50
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06855D58	0_2_06855D58
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06850A18	0_2_06850A18
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06858638	0_2_06858638
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06859268	0_2_06859268
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_068567F8	0_2_068567F8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06853F30	0_2_06853F30
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06855099	0_2_06855099
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_068550A8	0_2_068550A8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_068574F0	0_2_068574F0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06850007	0_2_06850007
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06853801	0_2_06853801
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06855510	0_2_06855510
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06855520	0_2_06855520
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06851D42	0_2_06851D42
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_06855D48	0_2_06855D48
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_07722718	0_2_07722718
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_077206E0	0_2_077206E0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_07728280	0_2_07728280
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_07721F18	0_2_07721F18
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0772CED8	0_2_0772CED8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_07722708	0_2_07722708
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_077206D1	0_2_077206D1
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0772CEC8	0_2_0772CEC8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_07727CE0	0_2_07727CE0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_07727CD1	0_2_07727CD1
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_0772D9E8	0_2_0772D9E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 2_2_00392050	2_2_00392050

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 172

Source: SlaZL2LqI2.exe

Static PE information: invalid certificate

Source: SlaZL2LqI2.exe	Binary or memory string: OriginalFilename vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.260741498.0000000006440000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.254118568.0000000003240000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe	Binary or memory string: OriginalFilenameIMG_80136.exeL vs SlaZL2LqI2.exe

Source: SlaZL2LqI2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal92.troj.evad.winEXE@4/6@0/0

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlaZL2LqI2.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3560

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Source: SlaZL2LqI2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SlaZL2LqI2.exe	Virustotal: Detection: 31%
Source: SlaZL2LqI2.exe	ReversingLabs: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\SlaZL2LqI2.exe 'C:\Users\user\Desktop\SlaZL2LqI2.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 172
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SlaZL2LqI2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SlaZL2LqI2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.259208534.0000000002E0A000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.259374983.0000000002DF6000.00000004.00000001.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, 00000002.00000002.351711193.0000000000392000.00000002.00020000.sdmp, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000005.00000003.261041308.0000000005011000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_00F27632 push es; retf	0_2_00F27634
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_00F27627 push es; retf	0_2_00F27628
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_00F2762C push es; retf	0_2_00F2762E
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_00F27600 push es; retf	0_2_00F27622
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_068585F8 pushad ; retf	0_2_068585F9
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Code function: 0_2_068585FA push eax; retf	0_2_06858601

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

File opened: C:\Users\user\Desktop\SlaZL2LqI2.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 2900	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 4632	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 4632	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 496	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 4576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: WerFault.exe, 00000005.00000003.344516445.0000000002E10000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp, WerFault.exe, 00000005.00000003.275279827.0000000002E10000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 760000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 760000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 760000	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 761000	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 564008	Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe

Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Queries volume information: C:\Users\user\Desktop\SlaZL2LqI2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SlaZL2LqI2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation	Valid Accounts1	Valid Accounts1	Masquerading1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection311	Access Token Manipulation1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion3	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Disable or Modify Tools1	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection311	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SlaZL2LqI2.exe	31%	Virustotal		Browse
SlaZL2LqI2.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.Tnega
SlaZL2LqI2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.AddInProcess32.exe.760000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ns.adobe.cobj?E	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://ns.ado/1?E	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://ns.adobe.c/g?E	0%	Avira URL Cloud	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adobe.cobj	SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj?E	SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1?E	SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.c/g	SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp	false		high
http://schema.org/WebPage	SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp	false		high
http://ns.adobe.c/g?E	SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.ado/1	SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344543
Start date:	26.01.2021
Start time:	17:20:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SlaZL2LqI2.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@4/6@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.6%) Quality average: 43.9% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 100% Number of executed functions: 66 Number of non-executed functions: 14
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, HxTsr.exe, RuntimeBroker.exe, wermgr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.42.151.234, 13.88.21.125, 172.217.23.36, 23.210.248.85, 51.104.139.180, 93.184.221.240, 51.103.5.159, 40.126.31.6, 40.126.31.4, 20.190.159.132, 40.126.31.135, 20.190.159.134, 20.190.159.138, 40.126.31.1, 40.126.31.137, 104.43.193.48 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, arc.msn.com, wu.azureedge.net, www.tm.a.prd.aadg.trafficmanager.net, emea1.notify.windows.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, www.google.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:21:21	API Interceptor	1x Sleep call for process: SlaZL2LqI2.exe modified
17:22:03	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	4NoiNHCNoU.exe	Get hash	malicious	Browse
	SoPwZKv1Mf.exe	Get hash	malicious	Browse
	bXFjrxjRlb.exe	Get hash	malicious	Browse
	Generator.cont.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	560911_P.EXE	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	IMG_61779.pdf.exe	Get hash	malicious	Browse
	IMG_5391.EXE	Get hash	malicious	Browse
	czZ769nM6r.exe	Get hash	malicious	Browse
	IMG_1107.EXE	Get hash	malicious	Browse
	r3q6Bv8naR.exe	Get hash	malicious	Browse
	sy1RnlHl8Y.exe	Get hash	malicious	Browse
	qyMlTIBawC.exe	Get hash	malicious	Browse
	Qn2AQrgfqJ.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.28611.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.17348.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.509.7497.exe	Get hash	malicious	Browse
	IMG_12283.exe	Get hash	malicious	Browse
	IMG_06176.pdf.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AddInProcess32.e_c75c3781ccb7467b1c3e186dc1b041f2a01bea24_f4cf66e0_12a7f9a7\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	7612
Entropy (8bit):	3.7520729747903254
Encrypted:	false
SSDEEP:	192:BAKE/18si0xHBUZMXWOgjl/u7sYBS274It6osU:WKEd8si0BBUZMXWOgjl/u7sEX4It6osU
MD5:	951B3CF85333A4D13B7B3ECD12E25D67
SHA1:	7249308F590AB7A50BB7E401E487C3E3AB248BFB
SHA-256:	1887E5F5F7A3A987E80F02FBD5780BF85A8141C56CF4E2998DFE3DF1708BA0C1
SHA-512:	DE0784D3C3DFC8905B21C8A2BCC8CDC1831822EAAD39ECEF548769622A144AFC32B9AB4837BF2FDFAE772C128DC12D1931DA2F87945BE3489FB19CE416C1A517
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.1.8.4.0.8.4.3.2.2.3.1.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.1.8.4.0.9.0.9.7.8.5.7.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.1.a.b.6.4.7.-.d.7.a.b.-.4.5.2.c.-.b.9.d.5.-.3.f.b.1.c.c.e.8.c.f.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.4.7.e.d.e.f.-.7.7.a.f.-.4.3.1.7.-.a.f.c.9.-.4.5.b.e.5.3.e.6.d.9.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.d.d.I.n.P.r.o.c.e.s.s.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.d.d.I.n.P.r.o.c.e.s.s.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.e.8.-.0.0.0.1.-.0.0.1.6.-.4.e.1.a.-.3.a.b.6.4.a.f.4.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.f.d.5.e.1.2.8.2.3.d.6.b.d.e.a.c.7.2.a.5.5.8.e.7.d.d.e.9.2.2.4.0.0.0.0.0.9.0.4.!.0.0.0.0.9.0.d.f.7.1.9.2.4.1.c.e.0.4.8.2.8.f.0.d.d.4.d.3.1.d.6.8.3.f.8.4.7.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6055.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jan 27 01:21:24 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	18908
Entropy (8bit):	2.0301858005637117
Encrypted:	false
SSDEEP:	96:5gc8//opp5Ab5WgLembAm3mHijMyRI0kNWIXYWIdIxNLE71A:26ab5WOei/2HypRZchE71A
MD5:	3320E42A59D579F99E0EA704B9BAC56C
SHA1:	7BC5688365A372AEBC65187F5630C1F6DCDE0BB0
SHA-256:	B4B2ADCE9346BA97B0ED2F966366516DF634D94E29DC62D11C4F3E2C0459E335
SHA-512:	BF34015CE02A170972C4A206FB3F8326B9C91C9F14260187CDD3D395417293B68217CEFA99672E5AAA6C6E1B3E81F4F8B55797F9D46B29905F1298D2387AB36F
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........`...................U...........B......t.......GenuineIntelW...........T..............`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER624A.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.698912714524007
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi1PR606Yw1623qgmfrXSjCpr589banWsfEem:RrlsNi1p606Yq6rgmfrXSNan1fk
MD5:	F4CC9F23E5CC2CA7DAAFDD355E174ED6
SHA1:	54EC7FC1B7D1CA1C7B69E00365B8979A59C91E08
SHA-256:	D5A43D103EF085413B271CDE5041AF8E48E6E6B8BB8025024B33D65A632BE4DB
SHA-512:	2C8330504824B66D11D616112D7D3AF6141C2F5236809EAE7B7ECC6D05F0CD0A5938A3F630D435275519B9A985E9CB5D795D2B16FD0CBD215EFF312A82FEB623
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER679A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4802
Entropy (8bit):	4.495533962805604
Encrypted:	false
SSDEEP:	48:cvIwSD8zsx3JgtWI9/3WSC8Ba8fm8M4JfTEjMFO+q8vSEjGz8U4/Jrb7grYAd:uITfjYGSNNJ2bKjGv4/tHmLd
MD5:	91289694503598DD70031B078AD460DD
SHA1:	4108FFA5DEDC81D9C8F6F522E73D06B065C2DE4B
SHA-256:	65FB63950E2B3634A55985815AFF6E1603746F0A6AEA33D4FCBB975FA4693A03
SHA-512:	B505F7629F8649330B2357E8F2DDFD828B216A280868CC39AF3419CC28D2873E12CA641458B48E45B7AC4A41C5839D015F2A5B30BAEDDE54A23AA10E55BE04D6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="834392" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlaZL2LqI2.exe.log Download File
Process:	C:\Users\user\Desktop\SlaZL2LqI2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	5.355036985457214
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjovitHoxHhAHKzvr1qHj:iqXeqm00YqhQnouRqjoKtIxHeqzTwD
MD5:	CDA95282F22F47DA2FDDC9E912B67FEF
SHA1:	67A40582A092B5DF40C3EB61A361A2D336FC69E0
SHA-256:	179E50F31095D0CFA13DCBB9CED6DEE424DFE8CEF8E05BDE1F840273F45E5F49
SHA-512:	1D151D92AE982D2149C2255826C2FFB89A475A1EB9B9FE93DC3706F3016CD6B309743B36A4D7F6D68F48CE25391FDA7A2BAE42061535EEA7862460424A3A2036
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Download File
Process:	C:\Users\user\Desktop\SlaZL2LqI2.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42080
Entropy (8bit):	6.2125074198825105
Encrypted:	false
SSDEEP:	384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
MD5:	F2A47587431C466535F3C3D3427724BE
SHA1:	90DF719241CE04828F0DD4D31D683F84790515FF
SHA-256:	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
SHA-512:	E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 4NoiNHCNoU.exe, Detection: malicious, Browse Filename: SoPwZKv1Mf.exe, Detection: malicious, Browse Filename: bXFjrxjRlb.exe, Detection: malicious, Browse Filename: Generator.cont.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 560911_P.EXE, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: IMG_61779.pdf.exe, Detection: malicious, Browse Filename: IMG_5391.EXE, Detection: malicious, Browse Filename: czZ769nM6r.exe, Detection: malicious, Browse Filename: IMG_1107.EXE, Detection: malicious, Browse Filename: r3q6Bv8naR.exe, Detection: malicious, Browse Filename: sy1RnlHl8Y.exe, Detection: malicious, Browse Filename: qyMlTIBawC.exe, Detection: malicious, Browse Filename: Qn2AQrgfqJ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.28611.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.17348.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.509.7497.exe, Detection: malicious, Browse Filename: IMG_12283.exe, Detection: malicious, Browse Filename: IMG_06176.pdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................\|w......H........#...Q...................u.......................................0..K........-....i.......r...p.o....,....r...p.o....-.......o......o.....$........o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o....(+...o,.....&...(-...........3..@......R...s.....s....(....:.(/.....}P...J.{P....o0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.639935818547034
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SlaZL2LqI2.exe
File size:	776136
MD5:	9e3469f024cd186e3685505b7d2e4412
SHA1:	2e3b115a155e10fc2dfe822ed6a7d6c03d1702fd
SHA256:	14d9c9f0dbe84637aad5dca71f874b7fd2c11e7b476c4da126090c23b8e95536
SHA512:	5b8f8702d84d1a04aa0c4ea1db3048341a70d090a5d5377fac870820b93e5f0f8c2e91bad2d38f60a631c431aff93bdd9e39ce6d09729098db2459db8502bd87
SSDEEP:	12288:WXmGhHfNbxpJZ1mgWPj8MtQEMvZb19lBD:WXmGL/JZ/Wb8+QxZxD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R...................t...J........... ........@.. ....................... ............`................................

File Icon


Icon Hash:	aaacae8e96a2c0e6

Static PE Info

General
Entrypoint:	0x4b92ce
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x1EFD52AE [Mon Jun 23 13:44:14 1986 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	5/28/2020 5:00:00 PM 6/3/2021 5:00:00 AM
Subject Chain	CN=LLC Mail.Ru, O=LLC Mail.Ru, L=ÐÐ¾ÑÐºÐ²Ð°, C=RU, SERIALNUMBER=1027739850962, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=RU
Version:	3
Thumbprint MD5:	CE53364B33A1C9E4BA3F1F1FCA294406
Thumbprint SHA-1:	21DACC55B6E0B3B0E761BE03ED6EDD713489B6CE
Thumbprint SHA-256:	7F03209D02816C136F811D1BF8CC3E23EA011CE37E3F0C45E277EE3DD67018E0
Serial:	0DEB004E56D7FCEC1CAA8F2928D4E768

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb9274	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x46f2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbc000	0x17c8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb72d4	0xb7400	False	0.557978235846	data	5.60593294747	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x46f2	0x4800	False	0.154242621528	data	2.48712731924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xba130	0x4028	data
RT_GROUP_ICON	0xbe158	0x14	data
RT_VERSION	0xbe16c	0x39c	data
RT_MANIFEST	0xbe508	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2005 4;@:9>CF>>5?A@<AE4D4
Assembly Version	1.0.0.0
InternalName	IMG_80136.exe
FileVersion	5.8.10.13
CompanyName	4;@:9>CF>>5?A@<AE4D4
Comments	A7E@4HA4?@7HB;B98GH
ProductName	56:53B29963AH9:F76>A
ProductVersion	5.8.10.13
FileDescription	56:53B29963AH9:F76>A
OriginalFilename	IMG_80136.exe

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 17:21:06.528923988 CET	54757	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:06.577542067 CET	53	54757	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:07.423810005 CET	49992	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:07.475569963 CET	53	49992	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:08.599344015 CET	60075	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:08.650882959 CET	53	60075	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:13.261482000 CET	55016	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:13.317917109 CET	53	55016	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:28.289279938 CET	64345	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:28.347115993 CET	53	64345	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:32.107415915 CET	57128	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:32.155298948 CET	53	57128	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:33.584187984 CET	54791	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:33.632198095 CET	53	54791	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:55.873316050 CET	50463	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:55.925277948 CET	53	50463	8.8.8.8	192.168.2.5
Jan 26, 2021 17:21:56.296921015 CET	50394	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:21:56.361057043 CET	53	50394	8.8.8.8	192.168.2.5
Jan 26, 2021 17:22:05.815181017 CET	58530	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:22:05.865876913 CET	53	58530	8.8.8.8	192.168.2.5
Jan 26, 2021 17:22:07.925426960 CET	53813	53	192.168.2.5	8.8.8.8
Jan 26, 2021 17:22:07.980906963 CET	53	53813	8.8.8.8	192.168.2.5

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 26, 2021 17:22:05.865876913 CET	8.8.8.8	192.168.2.5	0xd0c6	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SlaZL2LqI2.exe PID: 4724 Parent PID: 5784

General

Start time:	17:21:11
Start date:	26/01/2021
Path:	C:\Users\user\Desktop\SlaZL2LqI2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SlaZL2LqI2.exe'
Imagebase:	0xe70000
File size:	776136 bytes
MD5 hash:	9E3469F024CD186E3685505B7D2E4412
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: AddInProcess32.exe PID: 3560 Parent PID: 4724

General

Start time:	17:21:17
Start date:	26/01/2021
Path:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Imagebase:	0x390000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: WerFault.exe PID: 4860 Parent PID: 3560

General

Start time:	17:21:22
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 172
Imagebase:	0x180000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SlaZL2LqI2.exe PID: 4724 Parent PID: 5784 SlaZL2LqI2.exeCOMMON

Executed Functions

Function 077206E0, Relevance: 6.0, Strings: 4, Instructions: 974COMMON

Download Yara Rule

Strings

ntin, xrefs: 0772113F
(, xrefs: 07720D66
ntin, xrefs: 07720C0D
<, xrefs: 077208FC

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID: ($<$ntin$ntin
API String ID: 0-2884023141
Opcode ID: 29f73b3f2f8fc22eb4e1dc784047e6750267a62ce940e23024b62dd7affde786
Instruction ID: 6117195ffec3ca9081d5d0d8befb38f2478c512d0a0c867e961cc9ba8a1683c7
Opcode Fuzzy Hash: 29f73b3f2f8fc22eb4e1dc784047e6750267a62ce940e23024b62dd7affde786
Instruction Fuzzy Hash: 1DA2D4B4E042298FDB54CF99C981A9DFBF2BF89304F258099D518AB255D730A982CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06853F40, Relevance: 4.7, Strings: 3, Instructions: 969COMMON

Download Yara Rule

Strings

ntin, xrefs: 0685499F
ntin, xrefs: 0685446C
<, xrefs: 0685415A

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID: <$ntin$ntin
API String ID: 0-1029651476
Opcode ID: e03d466f03e0ca9517d7bf1804f160b67cec776492e9abe91b7f9955fd34e2dc
Instruction ID: 7ff71a259fd7066ac4c88dce86d8fa12ed63f7e4c4cd2c06fc01719e73ab7171
Opcode Fuzzy Hash: e03d466f03e0ca9517d7bf1804f160b67cec776492e9abe91b7f9955fd34e2dc
Instruction Fuzzy Hash: 49A2D374E042198FDB54CF99C981B9DFBF2BF89304F25C1A9D908AB255D730AA81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 077206D1, Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

ntin, xrefs: 077209E3
ntin, xrefs: 07720C0D
<, xrefs: 077208FC

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID: <$ntin$ntin
API String ID: 0-1029651476
Opcode ID: 59736449cfad8c58029a67827cf803d90215603eef1321fb0e1a2dd1cefa3215
Instruction ID: 83a281d422137591d4703342a3335331802540abd359686ef23a86ddc70a33d5
Opcode Fuzzy Hash: 59736449cfad8c58029a67827cf803d90215603eef1321fb0e1a2dd1cefa3215
Instruction Fuzzy Hash: 63E195B5E006198FDB58CFAAC9816DEBBF2BF89300F14C0A9D518AB264DB345941CF25

Uniqueness

Uniqueness Score: -1.00%

Function 06853F30, Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

ntin, xrefs: 0685446C
ntin, xrefs: 06854241
<, xrefs: 0685415A

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID: <$ntin$ntin
API String ID: 0-1029651476
Opcode ID: 9977cd0159b2f30d08d3a8d0e0cd6e47c974e53a79706c96b59c2f5444cb78f1
Instruction ID: 09392ca3af75e08c8a07d3dd671a9c40f2d6bb422a3cf1df1f9aed8c2d1b777a
Opcode Fuzzy Hash: 9977cd0159b2f30d08d3a8d0e0cd6e47c974e53a79706c96b59c2f5444cb78f1
Instruction Fuzzy Hash: 60E1A5B5E006198FDB58CFAAC9456DEFBF2BF88300F14C1A9D508AB264DB345A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0185C961, Relevance: 3.2, Strings: 2, Instructions: 650COMMON

Download Yara Rule

Strings

<, xrefs: 0185CA95
@, xrefs: 0185D275

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: 891dab0b43921e82bf00b78d1ff73ca2a556f57bbc7598bfa3b6799a2c425af7
Instruction ID: ccadde08987ef5073ccbfeab37b3a47137a60b28e89888a891100edfe97f6fba
Opcode Fuzzy Hash: 891dab0b43921e82bf00b78d1ff73ca2a556f57bbc7598bfa3b6799a2c425af7
Instruction Fuzzy Hash: F7629F7490121ACFDBA4CFA9C980A9DFBF2FF49315F15C1A9D909AB211E7309A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06850040, Relevance: 3.1, Strings: 2, Instructions: 645COMMON

Download Yara Rule

Strings

<, xrefs: 06850165
@, xrefs: 06850945

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: a2f4774d2306bbbf1ca99088bcad0d708726b4d823b033561fcb2910d6eb7458
Instruction ID: 740d647a92c3e9e25f9f16e077d86ddeac1d3d7a4de4e33b76a5dbd619794b09
Opcode Fuzzy Hash: a2f4774d2306bbbf1ca99088bcad0d708726b4d823b033561fcb2910d6eb7458
Instruction Fuzzy Hash: 4C62A274D0121ACFDBA4CF69C980A9DFBF2BF49345F16C1A9DA09AB215E7309981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06850007, Relevance: 3.0, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

<, xrefs: 06850165
@, xrefs: 06850945

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID: <$@
API String ID: 0-1426351568
Opcode ID: fcc0331fe736020cebad3f494a121ed2e78556afb25055d72992045c4e529f51
Instruction ID: 0fd0fd9017f1c8d10dfdab46db4228468a888d1e1f38b84536d40892ca6a85bb
Opcode Fuzzy Hash: fcc0331fe736020cebad3f494a121ed2e78556afb25055d72992045c4e529f51
Instruction Fuzzy Hash: A732CF7090121ACFDBA4CF66C944A8DFBF2BF49745F16C1E9DA09AB211E7309984CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0185D458, Relevance: 2.1, APIs: 1, Instructions: 563memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0185D3FF

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4515e04e8e3a7cd46f5a04d8cab21103d68b183ff04dc223a25dd2b23d64a766
Instruction ID: ad402247f23af369f4ae04b68f3d4d610f21699f8dc511e0506dbad06ce1d3fa
Opcode Fuzzy Hash: 4515e04e8e3a7cd46f5a04d8cab21103d68b183ff04dc223a25dd2b23d64a766
Instruction Fuzzy Hash: 7842D27490021ACFDB90DFA9C980A8DFBB2FF49315F55C299D909AB211DB30DA85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06856EE8, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 068570D4

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 42cb5589c22fe8115a453926b7fc90000b68882bd9861175548189f9cc3955a1
Instruction ID: 3f98fb6ae14930b8737da9c61550b05dd52d38c6f8a68cccf3bf4e7187052f10
Opcode Fuzzy Hash: 42cb5589c22fe8115a453926b7fc90000b68882bd9861175548189f9cc3955a1
Instruction Fuzzy Hash: E391CFB1D0422D9FCB21CFA4C880BDDBBF1BB19304F0591AAE549B7210DB74AA85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06853810, Relevance: 1.7, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

jN, xrefs: 068538E6

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID: jN
API String ID: 0-1675516797
Opcode ID: 9b2a2ddfcd1b29e7911b49b76f73e61e1033d9e91bdc58b959e4bdeb79c40714
Instruction ID: 3b98e15dffd5d18dc55d380d385a75c9cbfe2d4029fc81906fada0231559d68e
Opcode Fuzzy Hash: 9b2a2ddfcd1b29e7911b49b76f73e61e1033d9e91bdc58b959e4bdeb79c40714
Instruction Fuzzy Hash: B132E37090021ACFDB90DF99C980A8DFBB2BF49645F56C199C609AB211EB30D985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06853801, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

jN, xrefs: 068538E6

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID: jN
API String ID: 0-1675516797
Opcode ID: 38f5f7d1ff921f94ca514bb1602e110fdfb3a44b9ff276895663addcc69c2fff
Instruction ID: 938c441eebd06effef4df600638bc8f4d276b395a2fd65373267a31677bc51d4
Opcode Fuzzy Hash: 38f5f7d1ff921f94ca514bb1602e110fdfb3a44b9ff276895663addcc69c2fff
Instruction Fuzzy Hash: 0351FA70E046198FDB58CFAAC84179EFBB2EFC9300F15C1AAC518EB255EA305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01859E80, Relevance: .9, Instructions: 886COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e1290bcad2328b2f5a50a91e5e6944c56e062a65097d8e8f10c0c3fcd363d3
Instruction ID: 1323a48d177acb047debc13a746c59dc5ff9a5585bb78666463eb1b5d2ac7f34
Opcode Fuzzy Hash: 79e1290bcad2328b2f5a50a91e5e6944c56e062a65097d8e8f10c0c3fcd363d3
Instruction Fuzzy Hash: A6827F34A04209DFCB59CF68C584AAEBBF2FF88304F158669E915DB261D731EE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06855D58, Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b2f02f4c31fcb1af021843f627a087b49a62c043faee76540d88744c20cebc
Instruction ID: bc9245be81932bcec06f44e8c7e026eefa0fae2a75008e0add100b230ff69981
Opcode Fuzzy Hash: e1b2f02f4c31fcb1af021843f627a087b49a62c043faee76540d88744c20cebc
Instruction Fuzzy Hash: F352E174E002198FDB64CFA8C944BDDBBF2BF49301F5581AAE909A7355EB309A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06858648, Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a2690316e4d7ec8f490e8c83cf443fda6506857f2426cac83ffb83110091ac
Instruction ID: bf5069354b08cab65b892449329fb6803b04ec0b491fd4638af0e479f9c9a349
Opcode Fuzzy Hash: 27a2690316e4d7ec8f490e8c83cf443fda6506857f2426cac83ffb83110091ac
Instruction Fuzzy Hash: 8C22FCB0E002288BDB98DFA5CD817DDB7F1AF88314F5581AACA09A7341EB305E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06855D48, Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3769bc92632da896515df39c3fca93c8e03a30872bc3597a0cff6901f2a7602b
Instruction ID: 72a8c2a003d6fea98a933e1c5201a6ba738bc62c45b9591ebcc9076c244563b0
Opcode Fuzzy Hash: 3769bc92632da896515df39c3fca93c8e03a30872bc3597a0cff6901f2a7602b
Instruction Fuzzy Hash: 3032C174E002198FDB64CFA9C944BDDBBF2EF49301F1581AAE909A7351EB349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0185EB8B, Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3fb2d84901ce96387c97fdcede37357523487a41aeeb761e65c69455a8b7ef
Instruction ID: 60b6e00b92c0c4cb5a4d1b719026fe670ea4c18426e4e4a5ed54760515c42416
Opcode Fuzzy Hash: cd3fb2d84901ce96387c97fdcede37357523487a41aeeb761e65c69455a8b7ef
Instruction Fuzzy Hash: 9E42AF74E01219CFDB64CFA9C984B9DBBB2FF48310F1485A9E909A7355D730AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06851D50, Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513ccc2daf669cf703c5bf1d1cff0e45ea67d22214307eb9e7d0c32cd3b58ee8
Instruction ID: f23bc377b71c0317662a2438d1c861d92f6d431918830f59dd19c990212c5346
Opcode Fuzzy Hash: 513ccc2daf669cf703c5bf1d1cff0e45ea67d22214307eb9e7d0c32cd3b58ee8
Instruction Fuzzy Hash: 03429F74E01229CFDB64CFA9D984B9DBBB2FF48310F1582A9D909A7355D730AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06850A28, Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea3fe5b2c53479df06885b95432cd3cd092b1f477fe3d18cab699be216a79bb
Instruction ID: 3fc90e6886d31d9b08a52c45c3ba2a4345e8fac3a12231afdfc3683c103ef656
Opcode Fuzzy Hash: 4ea3fe5b2c53479df06885b95432cd3cd092b1f477fe3d18cab699be216a79bb
Instruction Fuzzy Hash: 2732F47090021ACFDB90DF69C984A8EFBB2FF49355F56C199CA09AB211DB30D981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01856743, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bb06d7b990ba3a9b2a58877778e55fbc194f9aec6573ca541194e8f375aced
Instruction ID: 4730e455fafb75a382db751a9df3dab271406d724d4dcbcd51bad3cb8cfa37ab
Opcode Fuzzy Hash: d7bb06d7b990ba3a9b2a58877778e55fbc194f9aec6573ca541194e8f375aced
Instruction Fuzzy Hash: 0D028970A041098FDB55CF68C844BAEBBB2FF88304F648569E90ADB395EB34DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07721F18, Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b605cc42ab69978cb50c5072271c1af97772959f208589e40db140ac7d343b6c
Instruction ID: 57999452ab61fbf89a992369c61fd5a9b6394542cff13b45272c9de779746f71
Opcode Fuzzy Hash: b605cc42ab69978cb50c5072271c1af97772959f208589e40db140ac7d343b6c
Instruction Fuzzy Hash: 7122C474A15228CFDB24DF65D8597ADBBB2FF49301F1084AAD809A7390DB799E81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01856D78, Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d84cfe69fd70dc67ac4edff2dcde7546c26198c0e1581cbbd38420c303dd6f2
Instruction ID: f856025d746aed117ffc243fefb23e984010a6249213c6080b4429ccea2cfde3
Opcode Fuzzy Hash: 4d84cfe69fd70dc67ac4edff2dcde7546c26198c0e1581cbbd38420c303dd6f2
Instruction Fuzzy Hash: 38023D30A00119DFDB55CFA8C984AADBBF2FF88344FA58469E915EB261D731DE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01852809, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a1ce63bd45356854066c5d17f928dc3fc592b9ed12904692613cfd81a68e51
Instruction ID: 51f26e5fcb740773239fec1b0b4249de8479333e378460b4e62e9e91244694bc
Opcode Fuzzy Hash: 88a1ce63bd45356854066c5d17f928dc3fc592b9ed12904692613cfd81a68e51
Instruction Fuzzy Hash: 57B1B731708206CBEFBA1B69894533A75A7EF88795F054829DD87CA685CF34CE81C792

Uniqueness

Uniqueness Score: -1.00%

Function 07722718, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8396b1623d2aec4ef7fd5b9e2974cd59aebca6549083ce0ea686d053d5710097
Instruction ID: 535f9fdb37759412973c6806cec40d01a93d723f5bd0f58a68baecdeca843a37
Opcode Fuzzy Hash: 8396b1623d2aec4ef7fd5b9e2974cd59aebca6549083ce0ea686d053d5710097
Instruction Fuzzy Hash: 1DD1D2B4E04218CFDB54DFA9C984B9DBBB2BF88300F1085AAD919A7355DB309A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0772CED8, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117f0ddb88fe155dab55bde2ee2f7493457b7a266a13a5cb07ad270b7dc525e8
Instruction ID: 96923634ff0ba050e74333617d9d2e5667231d6719fd802a55ec9c829a1bb451
Opcode Fuzzy Hash: 117f0ddb88fe155dab55bde2ee2f7493457b7a266a13a5cb07ad270b7dc525e8
Instruction Fuzzy Hash: 63D1D474E15228CFDB14CFAAD9887DDBBF2BB49301F1085AAD819A7354DB345A86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0772CEC8, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb02e54339df3b8d0e0569caea1205f5d598c1accb7d842bc6dbb717da6d6bf
Instruction ID: 8766e3af3718f18701cad9297e74d33db2e6f37ad0c82785da1832ae999fec50
Opcode Fuzzy Hash: 4fb02e54339df3b8d0e0569caea1205f5d598c1accb7d842bc6dbb717da6d6bf
Instruction Fuzzy Hash: B1D1D474E15218CFDB14CFAAD9887DDBBF2BB49301F1085AAD819A7364DB345A86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07727898, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e73f6cb67a49bca076f2e587459cb85c61a02cc434b4a15346bc7e90ed192f
Instruction ID: e2f65cc9b27af5feadec143c4d8924c5532ab53627f9aee99127cbd5a9efb359
Opcode Fuzzy Hash: c8e73f6cb67a49bca076f2e587459cb85c61a02cc434b4a15346bc7e90ed192f
Instruction Fuzzy Hash: 40B157B0E04219DFCB14DFA9C494A9EBBF1EF89344F248529D519BB350DB30A986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07728280, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480772246dfed5cb3ad29a79ab2c2a4594d751ca3774482e2374ae2dff8889b4
Instruction ID: 82712f5c57ac284da8089f0b4d3288d089fa704d6aa6a52b4a054de8e2f17a3e
Opcode Fuzzy Hash: 480772246dfed5cb3ad29a79ab2c2a4594d751ca3774482e2374ae2dff8889b4
Instruction Fuzzy Hash: 7FB105B4E00218CFDB14DFA9C944A9DFBB2BF89300F1481A9D519AB315EB359986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0185B5D0, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db24ff90f24573ab8cbd0ac7ffda098840bcd6feb26b8c66aec6d822d5ac607
Instruction ID: 364edbeaee84b6331ff2a06d3ebe7df1de94808fd30c4bec0b1bc3de8a410f78
Opcode Fuzzy Hash: 5db24ff90f24573ab8cbd0ac7ffda098840bcd6feb26b8c66aec6d822d5ac607
Instruction Fuzzy Hash: 97819E356046198FCB51CF68C884A6ABBF6FF64710F1A8069ED15DB3A2D730EE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07722708, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c455c8cd452c0fac0f14771e8a1b1a2ca3da04d7a7de36ac6668a5ff38b41c1e
Instruction ID: 5ed19d9d4305c1daa37fbecd77f214b37c9628ebb4055f4c841e281aec154e2d
Opcode Fuzzy Hash: c455c8cd452c0fac0f14771e8a1b1a2ca3da04d7a7de36ac6668a5ff38b41c1e
Instruction Fuzzy Hash: 97A100B4E04218CFDB54DFA9D984B9DBBF2FF88300F1084AAD548AB265DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0185306B, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89e46bd4ba5a838bfa313ed0fcb88ee1d7a44f1968d61815fce5ab6d8c7c013
Instruction ID: 66cbcb793d2603080620f92e062171406b6ec75c4605cba317ae178a9d1f3276
Opcode Fuzzy Hash: f89e46bd4ba5a838bfa313ed0fcb88ee1d7a44f1968d61815fce5ab6d8c7c013
Instruction Fuzzy Hash: B661E031B08209DBD7558B78C845A6EBBF3FB81398F05842ADD02DB285DB35DE41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06851D42, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f911c6a009228cddfc4fd47d3ea05bedad0f2807b10cabb617fa06d7c25ecf
Instruction ID: 142f9e8623e0ebe8a7bc2425e3c213836fe33eb6b2b721c425a520287a641529
Opcode Fuzzy Hash: c0f911c6a009228cddfc4fd47d3ea05bedad0f2807b10cabb617fa06d7c25ecf
Instruction Fuzzy Hash: D161B174E01218DFDB28CFAAD994B9DBBB2FF88300F1481A9D809A7355DB31A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06850A18, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8271172ee1457862dc155525e60821d49ae8a3687fe85ef55074a9e0b26def30
Instruction ID: 9aac6057c43d33e4d061edcd2694a1a29f7e11b78c21f2e87b315ab325000256
Opcode Fuzzy Hash: 8271172ee1457862dc155525e60821d49ae8a3687fe85ef55074a9e0b26def30
Instruction Fuzzy Hash: 1D510974E042188FDB58DFAAC940B9EBBB3AFC9200F00C4A9C519AB355DB305A85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 077289B8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33df76f119c55777bfe8c0b0900f91eda3d1843fb7fce61993eb502767988a77
Instruction ID: 0fe25238bd99237b7884a9944cf6a4bcdeec047316fe2a696ef6932503f7d3f3
Opcode Fuzzy Hash: 33df76f119c55777bfe8c0b0900f91eda3d1843fb7fce61993eb502767988a77
Instruction Fuzzy Hash: 1C419AB4D042189FCB10CFA9C584ADEBBF4BF09308F24942AE919BB350D775A949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07726924, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b69fcf28ea748cc5704a5c528295c75b67f4c09992fa027cfa6ab3f6210fe2b
Instruction ID: 7d36d0d7411310d156ed0ec239b08d05987233a6b524b66bc6a71fe9a1b285ba
Opcode Fuzzy Hash: 7b69fcf28ea748cc5704a5c528295c75b67f4c09992fa027cfa6ab3f6210fe2b
Instruction Fuzzy Hash: D741DAB4D05248DFCB10CFA9C584BDEBBF0BB09314F20942AE918BB250DB74A989CF55

Uniqueness

Uniqueness Score: -1.00%

Function 077266A4, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e628447fbbc4a27d1e69f6007b705f04d8ed1ba8b684f9d2ec9b26a821ba71fd
Instruction ID: 3092ef726b09b2637aeda1d948bc5370b7b05e3c6ed28aa1fec2cac062e5d358
Opcode Fuzzy Hash: e628447fbbc4a27d1e69f6007b705f04d8ed1ba8b684f9d2ec9b26a821ba71fd
Instruction Fuzzy Hash: 9B41AAB4D05258DFDB10CFA9C584BEEBBF0BB09314F20942AE514BB250DB74A949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07726DFC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c860a52e31ab11858fc4320b47581d2fefac0544f174a94d593a6bbc28fe75
Instruction ID: d9c40c5766aea94b80db41a257216a5c29ff117d4a88b9ba81a05fa1f331ec0c
Opcode Fuzzy Hash: 87c860a52e31ab11858fc4320b47581d2fefac0544f174a94d593a6bbc28fe75
Instruction Fuzzy Hash: A7319AB8D01219EFCB15CFA9D480AADBBB2BF49350F24952AE824B7350C3349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07726E08, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652f3c2ecc3875921f3e1d075b72cede4e7ecfbe8dcd12a7144f3ee05f8c7623
Instruction ID: 08059f54d3483609e8f8c04427a6b347c3f3a2722a6cbc0fe50d4702bb4ca65f
Opcode Fuzzy Hash: 652f3c2ecc3875921f3e1d075b72cede4e7ecfbe8dcd12a7144f3ee05f8c7623
Instruction Fuzzy Hash: B4317BB4D01219EFCB14CFA9D484AAEBBF2BF89350F24952AE824B7350D3349946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0772711C, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223ee4a0e182d4f6e4bd742c2314806c0ba3a2837fb4771346b5d505c925b238
Instruction ID: 08a9dd9b449f79a8ff8bc056b996cb35245379ea42df12cbbb75b33dcc9e779f
Opcode Fuzzy Hash: 223ee4a0e182d4f6e4bd742c2314806c0ba3a2837fb4771346b5d505c925b238
Instruction Fuzzy Hash: 8621C4B4E00219DFDB18CFAAC4446DEBBF1AF8A360F10D529E824B7290D3348545CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07727128, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e18ada5ae19f7fb056908336080536e1d576883f4d27523a7c2745fcc16f33
Instruction ID: e44e8e0112533f5499a83555f1c8368a05096d400bc1c92250db2817fba0b68d
Opcode Fuzzy Hash: 39e18ada5ae19f7fb056908336080536e1d576883f4d27523a7c2745fcc16f33
Instruction Fuzzy Hash: 0E2180B4E00219DFDB08CFAAC544AEEBBF1AF89350F10D529E924B7250D7349941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0772DF78, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7990ca723e53b9c040ff733e6395ef49537d15239a714b0ad09e4d07f282c1d
Instruction ID: 2302748ea91057930b6f4cc677b95f4fa8b3db79ab3dec7de2e5d2dd8ad39a65
Opcode Fuzzy Hash: e7990ca723e53b9c040ff733e6395ef49537d15239a714b0ad09e4d07f282c1d
Instruction Fuzzy Hash: A301AD70C082899FCB15CFA8C9182AEFFB0BF06315F1449AED464632A5DB345A15DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0685A25D, Relevance: 2.1, APIs: 1, Instructions: 584threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 0685A6E7

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 311f8adad696b90254a69cf4acc92ba604eb966085f9ea7ea3b01ad0f3a53aad
Instruction ID: c48a08c18da20e7c5bc8d445a3e1bfb7e647687c83bed4706b9e6239d00dbb38
Opcode Fuzzy Hash: 311f8adad696b90254a69cf4acc92ba604eb966085f9ea7ea3b01ad0f3a53aad
Instruction Fuzzy Hash: F341FEB4D052489FCB00CFA9C884AEEBFF0BF49314F14806AE804BB200D738A949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07728B4C, Relevance: 1.8, APIs: 1, Instructions: 273COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 0772E319

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 3097a120950286e78e3f8d35bea0f312833e6f2d666bb1d2acefd6253af24c58
Instruction ID: 04eedb8491c1292036fc2c6dec9ee16f3466f192603da49f252dd6c977f9623b
Opcode Fuzzy Hash: 3097a120950286e78e3f8d35bea0f312833e6f2d666bb1d2acefd6253af24c58
Instruction Fuzzy Hash: 75C1F0B0E04228CFDB24CFA9C985B9EBBB1BF49304F1485A9E419B7351DB709986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07728B42, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 0772E319

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4ee461569c4cc6ec143010740ec52a000dd8bdf27e053c690c42b1a71bc14df1
Instruction ID: dd8529d18f42d02ec92b224f999457550b848c623b39e285dcddc5e9770d4f0b
Opcode Fuzzy Hash: 4ee461569c4cc6ec143010740ec52a000dd8bdf27e053c690c42b1a71bc14df1
Instruction Fuzzy Hash: EAB100B0E04228CFDB24CFA9C985BDEBBB1BF49304F1485A9E419A7351DB709986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0772E06E, Relevance: 1.8, APIs: 1, Instructions: 264COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 0772E319

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d25d048dd87bf3b8c0ca451e57cf0133d8cbde14b909f65ccc926efbf919cf17
Instruction ID: d70516c007da93378280df03065156707681859b9762b372a68f62cfc83c4305
Opcode Fuzzy Hash: d25d048dd87bf3b8c0ca451e57cf0133d8cbde14b909f65ccc926efbf919cf17
Instruction Fuzzy Hash: B4B111B0E04228CFDB24CFA9C985B9DBBB1BF49304F1485A9E419B7351DB70A986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06856EDC, Relevance: 1.8, APIs: 1, Instructions: 254processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 068570D4

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: b4e71ffa6774377522f52378dbc3d676e69bc5a4f0bc8d298d1d809f8fa49831
Instruction ID: ce359383dfff19672fe7603f52eaad74378bc13fc8acc54ebf81343b42e8f65d
Opcode Fuzzy Hash: b4e71ffa6774377522f52378dbc3d676e69bc5a4f0bc8d298d1d809f8fa49831
Instruction Fuzzy Hash: 5391C0B1D0422D9FCB21CFA4C880BDDBBF5BB59304F0591AAE549B7210DB74AA85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06859CB0, Relevance: 1.6, APIs: 1, Instructions: 150injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 06859D8B

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ba367f06be09ddc18a5de25c929816cd9a850e19329a09d15990daa84e1fc50f
Instruction ID: 7384d661e04501f68f28c7385a15305863a5eefd85d3e1516aefd73c8d87de6d
Opcode Fuzzy Hash: ba367f06be09ddc18a5de25c929816cd9a850e19329a09d15990daa84e1fc50f
Instruction Fuzzy Hash: 9851ADB5D01258DFCF40CFA9D980AEEBBF1BB49314F10942AE915B7210D734AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0185D350, Relevance: 1.6, APIs: 1, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0185D3FF

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c9c5298ad9f3a1a4e92681e636a309d2fd53d51da3a9f271b2e571cd0b9de81a
Instruction ID: 0471f110202276c006b817bc0df1600a239dff2a6cd366aa931a4c2a533a4db1
Opcode Fuzzy Hash: c9c5298ad9f3a1a4e92681e636a309d2fd53d51da3a9f271b2e571cd0b9de81a
Instruction Fuzzy Hash: EA41BDB5D002199FCB10CF99D980AEEFBB1FF49314F14916AE914B7210D334AA85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06859CB8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 06859D8B

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7068d35b08ae58657b113392d949865ecd8134293cb0a5271dd2d32a3c16517a
Instruction ID: 109213b2e22615739f49237f43622c805aa1d7e31a0c2ca285ae8a936c6f1153
Opcode Fuzzy Hash: 7068d35b08ae58657b113392d949865ecd8134293cb0a5271dd2d32a3c16517a
Instruction Fuzzy Hash: 6441AAB4D052589FCF00CFA9D984AEEFBF1BB49314F14942AE918B7200D738AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 068599C8, Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06859A7A

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c800fbff304e19a9a262c2a4c19f8f701f8884cff34575a6311c84a7ce5c83f3
Instruction ID: 1e02b58c400d22d901ea67e1745ce9740f917c2704eb40add38850df0099b7bc
Opcode Fuzzy Hash: c800fbff304e19a9a262c2a4c19f8f701f8884cff34575a6311c84a7ce5c83f3
Instruction Fuzzy Hash: AB41A9B4D04258DFCF00CFA9D984AAEBBB1BB49314F10942AE915BB210D734A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 068599D0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06859A7A

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd37343f8832fbcfe44de6e11ba10b39114f49fe5f26cae2ee18484d1d8953c1
Instruction ID: 271569eb170a195e31de47ec00a17809b85fd70e5535781c4bfeba0ed919a0c0
Opcode Fuzzy Hash: cd37343f8832fbcfe44de6e11ba10b39114f49fe5f26cae2ee18484d1d8953c1
Instruction Fuzzy Hash: 803197B8D042589FCF10CFA9D980AEEFBB1BB49314F10942AE915BB310D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06858ED0, Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNEL32(?,?), ref: 06858F87

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6b0555d8f9848f5047420475f00863d00d72513764dc1a350e438be3d37ca72d
Instruction ID: f219aae04b030c35d9092d3a3282c8e5e8c73ed3a314452781de6f0747ba4ad2
Opcode Fuzzy Hash: 6b0555d8f9848f5047420475f00863d00d72513764dc1a350e438be3d37ca72d
Instruction Fuzzy Hash: C841DEB4D01258DFCB10CFA9D884AEEBBF1BF49314F14842AE518B7200D778A949CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 077214E0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 07721587

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 73821c4c9f91db3f24a935f3907370a3c7a0e35425e84ce5b5054fbfec125d89
Instruction ID: 596946002e374505a7e2d86fefafa622e1f5596f31b37301d58fc90f6a825842
Opcode Fuzzy Hash: 73821c4c9f91db3f24a935f3907370a3c7a0e35425e84ce5b5054fbfec125d89
Instruction Fuzzy Hash: CE3199B9D042589FCB10CFAAD984ADEFBB0BB19310F14902AE815B7210D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0185D358, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0185D3FF

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b3891de412aea2bed31fa043e1f14ff6aefd33933f0efc7b9a74e1be6977560b
Instruction ID: 7cc8e86d1f92293defbad381fde1d68a590b0f645003b3dbf7e3d6608e8706d9
Opcode Fuzzy Hash: b3891de412aea2bed31fa043e1f14ff6aefd33933f0efc7b9a74e1be6977560b
Instruction Fuzzy Hash: D63199B9D042589FCB10CFE9D984AEEFBB0BB19314F14902AE914B7210D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 06858ED8, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNEL32(?,?), ref: 06858F87

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 848a3157a8666a48f4f71700afb60966c1438567c5b451b4f42ad0cace22dfd9
Instruction ID: fef007fbad027f3f48f666e6f053950f547e40e802913d4d2a8aeb90e10eaabd
Opcode Fuzzy Hash: 848a3157a8666a48f4f71700afb60966c1438567c5b451b4f42ad0cace22dfd9
Instruction Fuzzy Hash: 6231CEB4D052589FCB10CFA9D984AEEFBF1BF48314F14802AE518B7240D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0685A638, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 0685A6E7

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 60f0b502fc93cea2a1d258781c5f78a92c593e75fdf68f23aef1785679c7584f
Instruction ID: de8df4464bd6fa01ef7887b5d5d8885b571c6837f3e4e160ecd116ece41c0a8e
Opcode Fuzzy Hash: 60f0b502fc93cea2a1d258781c5f78a92c593e75fdf68f23aef1785679c7584f
Instruction Fuzzy Hash: 4C31BDB4D002589FCB14CFA9D984AEEBBF1BB48314F14802AE514B7200D738A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 077214D8, Relevance: 1.6, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 07721587

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5eb8b09edcdc785ed8a87a48fa913c034e7d6e9718aeafd2a37260c5421ba1b2
Instruction ID: 4965537c6779aa636ba74f6f1a7e3e5861f43f4447acce5577e4a58a3c2b72d3
Opcode Fuzzy Hash: 5eb8b09edcdc785ed8a87a48fa913c034e7d6e9718aeafd2a37260c5421ba1b2
Instruction Fuzzy Hash: 263197B9D042589FCF10CFA9E984AEEFBB1BB19310F14942AE815B7210D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07721C70, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 07721D11

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3a0fe713ed807d529f60dfd85923d8f48dfb40c7e51b7c5de528b61c9eaf9161
Instruction ID: f87fe21379daa5bd3d7723f9dce8ffc2a1fbb1b9d5e6a717d0221822315f893b
Opcode Fuzzy Hash: 3a0fe713ed807d529f60dfd85923d8f48dfb40c7e51b7c5de528b61c9eaf9161
Instruction Fuzzy Hash: DE31DBB4D01218EFCB00CFA9D984AEEFBF4BB49314F14902AE418B7310D334AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 07721C78, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 07721D11

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5a1fa3fe370ac5214bc5e268169b0f42d0d5187b4a55f123a249201e62fc65e3
Instruction ID: 046bb70fb7a361d3d84e291f2de0f2dc01916c055d105a5974e0f9baa252120d
Opcode Fuzzy Hash: 5a1fa3fe370ac5214bc5e268169b0f42d0d5187b4a55f123a249201e62fc65e3
Instruction Fuzzy Hash: F931BAB4D05268DFCB10CFA9D984AEEFBF4BB49314F14906AE418B7210D774AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0685A888, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 0685A90E

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 42bcac8db4adc4a8727957a5464ccdf1d388013c23cd5cd3d2e9176bd5bab812
Instruction ID: e3b0cce38e6460e9e5e6eb4907d0c23f6a2a1f40f26b296d9a39efdd20e0f3b5
Opcode Fuzzy Hash: 42bcac8db4adc4a8727957a5464ccdf1d388013c23cd5cd3d2e9176bd5bab812
Instruction Fuzzy Hash: 5731D9B4D00218AFCF14CFA9D984AAEFBB4AF49314F15942AE919B7300D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0685A890, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 0685A90E

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f835968845138e47cd883a11631a401f8dddc38c1b8e00697aed1965beb5d812
Instruction ID: b5e251e4376a3e6f2b31c7f35b66c16b66406c11cb432cbcaad1338b39b7a9f6
Opcode Fuzzy Hash: f835968845138e47cd883a11631a401f8dddc38c1b8e00697aed1965beb5d812
Instruction Fuzzy Hash: A831C9B4D042189FCF14CFA9D984AAEFBB4AF48314F15942AE919B7300D735A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 017FD4EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253849815.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46708db1932a5e6a33bb17414fbe838481927d891f8f2957c3db5768c626118e
Instruction ID: f978358da83bad851e223d86fb6c93d7a0b3ca16f46f0b4e3f9b0b4b2e547d5f
Opcode Fuzzy Hash: 46708db1932a5e6a33bb17414fbe838481927d891f8f2957c3db5768c626118e
Instruction Fuzzy Hash: 0921E2B1504244DFDB119F94D9C4B27BF66FB88328F3485ADEA054B306C336D456C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 017FD400, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253849815.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c7882035249af08de8b383f2ea3ca0fb97f2f846da47d4bb75effb2c941221
Instruction ID: 852f099ee1420cdf92b447d8a32e930b0ded8d1655cf6ba9563e5b00d06f7282
Opcode Fuzzy Hash: 24c7882035249af08de8b383f2ea3ca0fb97f2f846da47d4bb75effb2c941221
Instruction Fuzzy Hash: F8212FB2504244DFDB21DF94D9C0B67FB65FB88324F20C5ADEE050A306C336E846CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 017FD3FB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253849815.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2e30cc68d7dd21b2a1a142c7ab3deebdcd8f6eb20e665a8f6e2b4a9e2b1ed0
Instruction ID: 4c0cc781c42285859a7ae610c51c1ee894da8c42ac8c1113ac305f286aad42d1
Opcode Fuzzy Hash: 5a2e30cc68d7dd21b2a1a142c7ab3deebdcd8f6eb20e665a8f6e2b4a9e2b1ed0
Instruction Fuzzy Hash: 45119D76404284DFCB12CF54D5C4B66FF61FB84324F2486ADDD440A616C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017FD4E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253849815.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2e30cc68d7dd21b2a1a142c7ab3deebdcd8f6eb20e665a8f6e2b4a9e2b1ed0
Instruction ID: 9c0aacbfaea080ec42161506f0bde519c16e68932bbc6b044300c6615a303ee8
Opcode Fuzzy Hash: 5a2e30cc68d7dd21b2a1a142c7ab3deebdcd8f6eb20e665a8f6e2b4a9e2b1ed0
Instruction Fuzzy Hash: 6811AC76404280DFDB12CF54D9C4B16FF72FB88324F2886ADD9490B616C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017FD821, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253849815.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9841e553b39757addbe1fd4a3a9071078e55546b557fcba1121451bd410fa10f
Instruction ID: 889f3bfcdc548c17e70758baa8bb62167fb6857fd7e3f58e8d37572d92122c5a
Opcode Fuzzy Hash: 9841e553b39757addbe1fd4a3a9071078e55546b557fcba1121451bd410fa10f
Instruction Fuzzy Hash: C101DF71448244AAE7218A96CC84B67FF98EB41768F08845EEB485A382D378D844C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 017FD820, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253849815.00000000017FD000.00000040.00000001.sdmp, Offset: 017FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564c4a772965a6320a0b0e50566388d91259c7ce58740cd929dd0fd0738ab4a2
Instruction ID: 891e64bb9a5ad06c4fd80e2ff6fa76fc6d4b3751a40dc4cd9b7acbe79047707c
Opcode Fuzzy Hash: 564c4a772965a6320a0b0e50566388d91259c7ce58740cd929dd0fd0738ab4a2
Instruction Fuzzy Hash: BDF06271408284AAE7218E5ACDC4B63FF98EB51734F18C55EEE485B286C378A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0772D9E8, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0a899de252b540ad3fde83e0fb2bc7a5e4a84b2286de358dd73bc5a18bfb70
Instruction ID: f3edcf4d9a64eaee48a4d2ed4942fc8a527abd54d04aac908adc939675159fc2
Opcode Fuzzy Hash: 8c0a899de252b540ad3fde83e0fb2bc7a5e4a84b2286de358dd73bc5a18bfb70
Instruction Fuzzy Hash: 020209B4E04228CFDB64CF69C844BDDBBB2BF49304F1485A9D418A7395DB349A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06858638, Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2e94ca2ade9e6b6558dd1fb240104410f4dbd7a8b5a9eccca982511f7b0d32
Instruction ID: 20543144692f88a63e0ec6f2aafe1f3d8be3fa483806b76532e8fde1a6adac93
Opcode Fuzzy Hash: 5b2e94ca2ade9e6b6558dd1fb240104410f4dbd7a8b5a9eccca982511f7b0d32
Instruction Fuzzy Hash: 03E10DB0E002288BEB58DFA9CD907DDB7F2AF88314F4481AADA09A7355DB305D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 068550A8, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ea988fbebca092b6fc07173ec26f866b41535a89f9c51245dda6cb103aa6c9
Instruction ID: 42bf35a85762d536d4283b8f8ef6aaea58a48af674dddd5a6e008db116ef6e24
Opcode Fuzzy Hash: c5ea988fbebca092b6fc07173ec26f866b41535a89f9c51245dda6cb103aa6c9
Instruction Fuzzy Hash: D1E13974E042198FCB54CFA9C580AAEFBB2FF89305F268169D915AB315D730AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068574F0, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604a8df3f7b29411dea1b71d645a49f1be16c728aa4fba53c7bdac6cd31743da
Instruction ID: 3e3dd5383cb4f5a2083fc8b78e2de53d488ff8bc01b6aee7696631a7115dcaa3
Opcode Fuzzy Hash: 604a8df3f7b29411dea1b71d645a49f1be16c728aa4fba53c7bdac6cd31743da
Instruction Fuzzy Hash: 00E1F874E0421A8FCB54CFA9C980AADFBB2FF89305F258169D915AB355D730AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06859268, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5a2d89109dabd92edd10a76c3e89d0cc5b4c6d91008605142b8476a4a12130
Instruction ID: 484ea25c52ee5da3a22f5263cd23ac36934291475041e6a72ebc34803ec1f72b
Opcode Fuzzy Hash: 5d5a2d89109dabd92edd10a76c3e89d0cc5b4c6d91008605142b8476a4a12130
Instruction Fuzzy Hash: 8FE12774E0415ACFCB54CFA9C580AAEFBB2FB89305F268169D915AB345D730AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 068567F8, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ddc0e74dcd2b9b2b0712ee0fe264fc196ee9dc688a795c678b5b249ca89234
Instruction ID: 3738a56d9ff7fba3f72c2ce7cbf83d3d4ff19d7b3d676378df01c9954370e3cc
Opcode Fuzzy Hash: d1ddc0e74dcd2b9b2b0712ee0fe264fc196ee9dc688a795c678b5b249ca89234
Instruction Fuzzy Hash: CAE11A74E041198FCB54CFA9C580AADFBB2FF89305F258169D915AB315D730AD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06855520, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbafa368a1948538af46e19b5d2aadd4bc5acb5c1edaa734ad74dcb344018c01
Instruction ID: d695878defa8888c27ce89dc2da9aa2cca882685ccd3841b60bb5a7351e11875
Opcode Fuzzy Hash: bbafa368a1948538af46e19b5d2aadd4bc5acb5c1edaa734ad74dcb344018c01
Instruction Fuzzy Hash: 67E11874E0421A8FCB54CFA9C580AAEFBB2FF89305F268169D915AB315D730AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07727CD1, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3595e63be2e348fddf4d32195611c2d31e8e1998e9d859d3f12cdbea6f9a03f
Instruction ID: 457ee0e033e05d5cd741a96946a9d37b88dacc4cae6574c46b8d2ff5895e24d1
Opcode Fuzzy Hash: c3595e63be2e348fddf4d32195611c2d31e8e1998e9d859d3f12cdbea6f9a03f
Instruction Fuzzy Hash: C2D11630D2075A9ACB10EF68E954A9DB371FF95300F518B9AD14977211EF70AEC9CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07727CE0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d1ce0c267828975dd175fd915ad5f792df5bd33cbf5a2e894ff12e485005cd
Instruction ID: f04cc282bc48e6cc032d4af74be2d5bf6ba35c6605753e55d51cf6940abbeb05
Opcode Fuzzy Hash: d2d1ce0c267828975dd175fd915ad5f792df5bd33cbf5a2e894ff12e485005cd
Instruction Fuzzy Hash: 8FD1F430D2075A9ACB14EF68E954A9EB371FF95300F518B9AD14977210EF70AEC9CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0185C318, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253942702.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e28b580f46310f70a7861fabf7c5a32e6adb0c7ea8a3dccf2241eab298409f3
Instruction ID: d07553a60ebafa184ac21dcd062f53976fbbce307aa8a123bf7900331741b682
Opcode Fuzzy Hash: 8e28b580f46310f70a7861fabf7c5a32e6adb0c7ea8a3dccf2241eab298409f3
Instruction Fuzzy Hash: 8181B435F042188BDB58DBB5985567E7ABBBFC8708B45882DE416D7388CF38CA418F91

Uniqueness

Uniqueness Score: -1.00%

Function 06855510, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8266b1f4b0448b09bab1a55f4cce50557945eba5d6bb73f6865e58a5cf48c4
Instruction ID: 6baa3e9a13d644e9d1a0285bfe378e12a9b14724ac37a815f79217c4b7087dbd
Opcode Fuzzy Hash: 5c8266b1f4b0448b09bab1a55f4cce50557945eba5d6bb73f6865e58a5cf48c4
Instruction Fuzzy Hash: C5510970E0425A8FCB54CFA9C9805AEFBF2EF89305F258169D918AB315DB309D41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06855099, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260985653.0000000006850000.00000040.00000001.sdmp, Offset: 06850000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a71c0559eb4f0f6b79e9195f3d3a24683e3e554877ecf8dce97bfd89137f2fe
Instruction ID: bc9009370a41730cba98bb77214d53fbb4ed123b95631d4c4b7a0a27bdd09df2
Opcode Fuzzy Hash: 4a71c0559eb4f0f6b79e9195f3d3a24683e3e554877ecf8dce97bfd89137f2fe
Instruction Fuzzy Hash: 85510C74E042198FDB54CFA9C9805AEFBF2FF89305F2581A9D918AB315D7309942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07727054, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4714048ffd07365d68946a9e4eb9a72d961f41a2eee40581dd53903a9e4ebbda
Instruction ID: 9fa2e32cbc4ab678c3edbf6a8d04d1ffbd15b75197b9a179a125853f94d36daa
Opcode Fuzzy Hash: 4714048ffd07365d68946a9e4eb9a72d961f41a2eee40581dd53903a9e4ebbda
Instruction Fuzzy Hash: 5401AFB8D052489F8F05CFA9D4818EEFFF2AB5A210F14A16AD815B7310D2319945CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 07727060, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261101728.0000000007720000.00000040.00000001.sdmp, Offset: 07720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: 3fbc241869fde260cdfc2c589a61711bcc845019fd74835f3a58360b56bcbef5
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: 0EF042B5D0520C9F8F04DFA9D9418EEFBF2AB5A310F10A16AE914B3310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SlaZL2LqI2.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage