Play interactive tour

Edit tour

Windows Analysis Report moni $@.exe

Overview

General Information

Sample Name:	moni $@.exe
Analysis ID:	458678
MD5:	1e46a61b2d491a15952bd579210ecb8f
SHA1:	5bb236d5c49991298040dd88b4b83c4cb21e148a
SHA256:	b07a33b6e6d8007b04f1f4a78cd8be773506bbf6b60ed0227665188d57e82a15
Tags:	exenull
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

moni $@.exe (PID: 3516 cmdline: 'C:\Users\user\Desktop\moni $@.exe' MD5: 1E46A61B2D491A15952BD579210ECB8F)

RegSvcs.exe (PID: 5996 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

RegSvcs.exe (PID: 6000 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

RegSvcs.exe (PID: 404 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

RegSvcs.exe (PID: 6060 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

RegSvcs.exe (PID: 6028 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x59470:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5980a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6551d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x65009:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6561f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65797:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5a222:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x64284:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5af9a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x6a60f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x6b6b2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x67541:$sqlite3step: 68 34 1C 7B E1 0x67654:$sqlite3step: 68 34 1C 7B E1 0x67570:$sqlite3text: 68 38 2A 90 C5 0x67695:$sqlite3text: 68 38 2A 90 C5 0x67583:$sqlite3blob: 68 53 D8 7F 8C 0x676ab:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: moni $@.exe PID: 3516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Process Start Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\moni $@.exe' , ParentImage: C:\Users\user\Desktop\moni $@.exe, ParentProcessId: 3516, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 5996

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\moni $@.exe' , ParentImage: C:\Users\user\Desktop\moni $@.exe, ParentProcessId: 3516, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 5996

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: moni $@.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: www.panyu-qqbaby.com/weni/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: www.panyu-qqbaby.com/weni/

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: moni $@.exe	Virustotal: Detection: 39%			Perma Link
Source: moni $@.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: moni $@.exe

Joe Sandbox ML: detected

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\moni $@.exe

Unpacked PE file: 0.2.moni $@.exe.ff0000.0.unpack

Source: moni $@.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED

Source: moni $@.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.panyu-qqbaby.com/weni/

Source: moni $@.exe, 00000000.00000002.247463240.0000000003211000.00000004.00000001.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\moni $@.exe

Code function: 0_2_00007FFF2AF5629E

0_2_00007FFF2AF5629E

Source: moni $@.exe, 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoreElement.dllB vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.250882555.000000001BD70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.246983941.000000000109A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAppDomainHand.exe6 vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.247121884.00000000014EC000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.247434414.00000000030F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConfigNodeType.dll> vs moni $@.exe
Source: moni $@.exe	Binary or memory string: OriginalFilenameAppDomainHand.exe6 vs moni $@.exe

Source: moni $@.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED

Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: moni $@.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/1@0/0

Source: C:\Users\user\Desktop\moni $@.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\moni $@.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe

Mutant created: \Sessions\1\BaseNamedObjects\CmNWJcEtJlScVAi

Source: moni $@.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\moni $@.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: moni $@.exe	Virustotal: Detection: 39%
Source: moni $@.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\moni $@.exe 'C:\Users\user\Desktop\moni $@.exe'
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: moni $@.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: moni $@.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\moni $@.exe

Unpacked PE file: 0.2.moni $@.exe.ff0000.0.unpack

Source: C:\Users\user\Desktop\moni $@.exe	Code function: 0_2_00007FFF2AF57F13 push ebx; ret		0_2_00007FFF2AF57F1A
Source: C:\Users\user\Desktop\moni $@.exe	Code function: 0_2_00007FFF2AF5AC5D push edi; ret		0_2_00007FFF2AF5AC66

Source: initial sample

Static PE information: section name: .text entropy: 7.91066136918

Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: moni $@.exe PID: 3516, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\moni $@.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe TID: 4852	Thread sleep time: -38692s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe TID: 6136	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe	Thread delayed: delay time: 38692			Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\moni $@.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe

Queries volume information: C:\Users\user\Desktop\moni $@.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\moni $@.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing12	NTDS	System Information Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection11	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
moni $@.exe	39%	Virustotal		Browse
moni $@.exe	35%	ReversingLabs	Win32.Trojan.Swotter
moni $@.exe	100%	Avira	HEUR/AGEN.1142734
moni $@.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.moni $@.exe.ff0000.0.unpack	100%	Avira	HEUR/AGEN.1142734		Download File
0.2.moni $@.exe.ff0000.0.unpack	100%	Avira	HEUR/AGEN.1142734		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.panyu-qqbaby.com/weni/	7%	Virustotal		Browse
www.panyu-qqbaby.com/weni/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.panyu-qqbaby.com/weni/	true	7%, Virustotal, Browse Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	moni $@.exe, 00000000.00000002.247463240.0000000003211000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458678
Start date:	03.08.2021
Start time:	16:36:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	moni $@.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 2% (good quality ratio 1.6%) Quality average: 51.6% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 86% Number of executed functions: 69 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
16:37:30	API Interceptor	1x Sleep call for process: moni $@.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\moni $@.exe.log Download File
Process:	C:\Users\user\Desktop\moni $@.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1742
Entropy (8bit):	5.381353871108486
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
MD5:	978918F6120A43D1FA5899938A5A542F
SHA1:	6567A2E687B40BFD3A46246F51F4C89D93D89455
SHA-256:	F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
SHA-512:	1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.904280766447238
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	moni $@.exe
File size:	680960
MD5:	1e46a61b2d491a15952bd579210ecb8f
SHA1:	5bb236d5c49991298040dd88b4b83c4cb21e148a
SHA256:	b07a33b6e6d8007b04f1f4a78cd8be773506bbf6b60ed0227665188d57e82a15
SHA512:	022f35d056e6e1856b9c57e7d96ed63b221ad961d0d55085f26bceeb5659bb652cb2bf2e294e4a2c830a3aae67f7ecbcf57021990939b28d771d8afbbc247eb4
SSDEEP:	12288:YBg2LBBBBBBBBBBBXBBBBBBBBBBBRqLHPmm9SrzQnD+rdhpAUh7qIe6YHedKhBg/:YZmvmYSwSpFZi+dKbgwtGJl+KP3hv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................X..........Jw... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4a774a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61089407 [Tue Aug 3 00:55:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa76f0	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x61c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa5750	0xa5800	False	0.918747639728	data	7.91066136918	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x61c	0x800	False	0.33740234375	data	4.62076178534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xaa0a0	0x378	data
RT_MANIFEST	0xaa418	0x204	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	AppDomainHand.exe
FileVersion	1.0.0.0
CompanyName	flextronics
LegalTrademarks	flex
Comments	flex spare part room
ProductName	Spare Part
ProductVersion	1.0.0.0
FileDescription	Spare Part
OriginalFilename	AppDomainHand.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: moni $@.exe PID: 3516 Parent PID: 5680

General

Start time:	16:37:26
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\moni $@.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\moni $@.exe'
Imagebase:	0xff0000
File size:	680960 bytes
MD5 hash:	1E46A61B2D491A15952BD579210ECB8F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5996 Parent PID: 3516

General

Start time:	16:37:32
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x1ea58910000
File size:	44640 bytes
MD5 hash:	59FCE79E9D81AB9E2ED4C3561205F5DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6000 Parent PID: 3516

General

Start time:	16:37:32
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x1fc30120000
File size:	44640 bytes
MD5 hash:	59FCE79E9D81AB9E2ED4C3561205F5DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 404 Parent PID: 3516

General

Start time:	16:37:33
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x25f29860000
File size:	44640 bytes
MD5 hash:	59FCE79E9D81AB9E2ED4C3561205F5DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6060 Parent PID: 3516

General

Start time:	16:37:33
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x17f6b7a0000
File size:	44640 bytes
MD5 hash:	59FCE79E9D81AB9E2ED4C3561205F5DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6028 Parent PID: 3516

General

Start time:	16:37:33
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x1f4cfd30000
File size:	44640 bytes
MD5 hash:	59FCE79E9D81AB9E2ED4C3561205F5DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: moni $@.exe PID: 3516 Parent PID: 5680 moni $@.exeCOMMON

Executed Functions

Function 00007FFF2AF5629E, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f816da1cba57b3af6ea9effab95975840a902baf09b4602ba22c1e3305e5877a
Instruction ID: 12047b2e02f22e931741b7d4184875573b23bc9a112c02fb2a5604ca0b0bc284
Opcode Fuzzy Hash: f816da1cba57b3af6ea9effab95975840a902baf09b4602ba22c1e3305e5877a
Instruction Fuzzy Hash: 52712B74D0821A8BEF98DF64C8806BDBBF2BF85300F1481B9D51D67296DB386A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50D5C, Relevance: 1.4, Instructions: 1415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2508e66a847d14091922210382c1b30a466888ebf657c8f373ea12ecc1372dc1
Instruction ID: d4c2d5cd71c7e75077f7b48f47043536c6a7c5a222d2d2c79f7106ed59586a0e
Opcode Fuzzy Hash: 2508e66a847d14091922210382c1b30a466888ebf657c8f373ea12ecc1372dc1
Instruction Fuzzy Hash: 3792C920B2491D8FA6D8F77C84AA3B961C3EFDC696B5540F9E04ED3396DD289D42D302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5AD34, Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

xkq, xrefs: 00007FFF2AF5AC89

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID: xkq
API String ID: 0-3584802376
Opcode ID: 53d764ed2d892bf1b67ff71cfc0d2b0bba8e670481a7c7e6e8719ee753eda6f9
Instruction ID: d5daca40b19eecac56ed1531bfd7364a82e2b0d6fcf7b126c4ecdefdeee1883e
Opcode Fuzzy Hash: 53d764ed2d892bf1b67ff71cfc0d2b0bba8e670481a7c7e6e8719ee753eda6f9
Instruction Fuzzy Hash: D121CC34A1560DCFCB48DF98D4989ADB7F2FB59300F108169D01AEB395DA34A915DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5AE74, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFF2AF5AE77

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 03849aa0147de56145175dd159ab8eb96fc617714e01fdf300eafc78e4364923
Instruction ID: 21ccb7c573d2cf4efe3298aa10a9d408cfda00c40a80cb76ac13027056341a12
Opcode Fuzzy Hash: 03849aa0147de56145175dd159ab8eb96fc617714e01fdf300eafc78e4364923
Instruction Fuzzy Hash: CE115234A1491C8FDF98EB9CC899BEDB7B1FFA8301F5041A9D04EE7255CA35A981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF53C6E, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

`_H, xrefs: 00007FFF2AF53C70

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID: `_H
API String ID: 0-648823407
Opcode ID: 8971a629bb0361e312679b02797b050aee5fd32e6b38dde1c31a55a5e4f033a0
Instruction ID: 06ef0eb53c9276e03d19f594370be391c484351ba19429ec2297ac1302ae6c1f
Opcode Fuzzy Hash: 8971a629bb0361e312679b02797b050aee5fd32e6b38dde1c31a55a5e4f033a0
Instruction Fuzzy Hash: 1E012C30B1891A4FEBA8DF3C842863A62D1EF69302B0146BE944BD76A1DE24DC419740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF527F0, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

), xrefs: 00007FFF2AF52840

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID: )
API String ID: 0-948487263
Opcode ID: 2ebdc157c63132471dbbd1e7b0c82bb333a94ceb3f3f589b27824084969087ba
Instruction ID: 5ea78f7ad9e6f1ccfab647a02f239a9c50be7239cf78b886c139d5a9958da2d2
Opcode Fuzzy Hash: 2ebdc157c63132471dbbd1e7b0c82bb333a94ceb3f3f589b27824084969087ba
Instruction Fuzzy Hash: 9D01FB30E54A1E9FDB94EBA888452FEB7F0FF59305F4005BAD41DD3691DE79AA408780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF52930, Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298f70c60172b169a27aec0c35205da0ef3d109ea8bd45174cb16a4d57e7faa9
Instruction ID: da70ff93a81022497b599a9c64cff6e4ba57b8f50cc9a61a5a27b46054f7dcc2
Opcode Fuzzy Hash: 298f70c60172b169a27aec0c35205da0ef3d109ea8bd45174cb16a4d57e7faa9
Instruction Fuzzy Hash: 01B14821A0D69A0FE359A6785C951B4BBD2EF86312F1802FED49ED71C3DC1DA9838391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF51BD5, Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e587e0eb71d37009c61c5f34452073c9f85ad97aac81d5f2637dd4421959b39
Instruction ID: 0194951ab1831e90dc79262d5c4cdf9cc00b2b23aca1b17cace44f1570bdb5bb
Opcode Fuzzy Hash: 9e587e0eb71d37009c61c5f34452073c9f85ad97aac81d5f2637dd4421959b39
Instruction Fuzzy Hash: 7DA1C7307189088FDB99EB2CC469BA977E2FF9C315B5544F9E04ED72A6CE24EC418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF53EC2, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c98d95435449ff5ad3b6300c77cc8937b64df0f11f11faac6e982301cd2a84e
Instruction ID: 671c4e45cae3027482cbcdc8565c1fa2b338a4da1bba116233368d66f1291e2d
Opcode Fuzzy Hash: 5c98d95435449ff5ad3b6300c77cc8937b64df0f11f11faac6e982301cd2a84e
Instruction Fuzzy Hash: 9F416030A1482D4BD75CDA99D894ABDB2E3FFC4711B6442B9E10AE72C6CD796C02C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF52509, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd66a42664d99caee6a96b76124344eff33509dd24d5590ecb4be279aaf52c54
Instruction ID: b737b8642e363fa7c9020dc3317c1c98dda163c3f310c7694f6b1da0f448c210
Opcode Fuzzy Hash: dd66a42664d99caee6a96b76124344eff33509dd24d5590ecb4be279aaf52c54
Instruction Fuzzy Hash: 4A4174B891451E8FDF98DF99D4A4ABDBBF1FB28311F102269910AE7690CF749941CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5CEF4, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e759d30b0f20844f0665ae33b9732b2fa83b85566d3532db0adafc071a0d38
Instruction ID: c42a4c8176e046d4d08adfdf2f599e3b745ebf931cc935a0d2125bd6e4842428
Opcode Fuzzy Hash: 99e759d30b0f20844f0665ae33b9732b2fa83b85566d3532db0adafc071a0d38
Instruction Fuzzy Hash: 8B41AE7090E7C98FD703CF6488606997FF0AF5B314B0945DBD484DB2A3C6289A1AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55D39, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0e4e2003605f5e80a5e1847244803b5ba225c04c872ed20f908a2b7af63649
Instruction ID: b3a26414902bd52a65898cc2e0b6ee5a229215dd28c6bdb0233b1cd2d446fd70
Opcode Fuzzy Hash: ef0e4e2003605f5e80a5e1847244803b5ba225c04c872ed20f908a2b7af63649
Instruction Fuzzy Hash: 8041637091895E8FDBA8EF58C855BA8B7F1FF58301F5041E9D40EE7291DA356A81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5370B, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03057fb5a4263ac2214e4e820dc1f13c381ab903b946158730f65e144d28d776
Instruction ID: 7b71dd6cba548ec4d2dd3a9b1845cf71a19d0d2411230f5a122da05429d5800e
Opcode Fuzzy Hash: 03057fb5a4263ac2214e4e820dc1f13c381ab903b946158730f65e144d28d776
Instruction Fuzzy Hash: 9F31A170B1CA198FEB58FF2C94892B973D1FB58315B5441BAD80AC7692DE38E8428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5302A, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff9f47d7f3d3f931e036ed0405ecbfd9382846c8beebbcd1e186681eae03086
Instruction ID: ab28d601326c7e045261f10f4a08f1f855c0022f0e1c643c5809d825733047f5
Opcode Fuzzy Hash: aff9f47d7f3d3f931e036ed0405ecbfd9382846c8beebbcd1e186681eae03086
Instruction Fuzzy Hash: E6315030E18A099BD798EB68D4A16BEB3E1FF59314F9041B9E00AD7692DE3CA540CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5CF30, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef8055e2f88ae19ee07678422470b56f4e1302d676f2a8c5f4c77a3e28e7714
Instruction ID: 27ff97bbb967e460947c815f478827579d758bec9389fe8af823a084b2ee9daf
Opcode Fuzzy Hash: 1ef8055e2f88ae19ee07678422470b56f4e1302d676f2a8c5f4c77a3e28e7714
Instruction Fuzzy Hash: F731AB3090D7898FDB02CF64C8606997FF1EF4B310B0945EBD485EB2A2CA789906CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55E73, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c5b40c6dd190e7e8e6a9a2529ddc80c99164cd5558207e9dc402550165f2bf
Instruction ID: 3720197f53057a2fd6a1e3c58bd83a23e3fca458f0809a308abbcbe549257a78
Opcode Fuzzy Hash: a6c5b40c6dd190e7e8e6a9a2529ddc80c99164cd5558207e9dc402550165f2bf
Instruction Fuzzy Hash: 3831B530E1491E8FDB99EB58C855AE8B7F1FF59310F5001E9D10EE7291CA39A981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5BA8C, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e15db00dacebce6f9439c021ebfaa9a86f88a7c682f89a149124e19e7faa44b
Instruction ID: 6adb741ed7eec9768f2cdb740a1a657b934e0380574070631094d8ff77958244
Opcode Fuzzy Hash: 8e15db00dacebce6f9439c021ebfaa9a86f88a7c682f89a149124e19e7faa44b
Instruction Fuzzy Hash: B331B270D0964A9FDB45DF24CC459EEBBF0FF89310F1442BAD40997196EB38A646CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF52CC0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eace52bc1cd6d43a0345747b0227b86b5b8ab36154373f6db50879cb6a6572e
Instruction ID: b12c4f91bb97e1080769677619e6f57b0aeda775ab20d4ae8d68939b28686957
Opcode Fuzzy Hash: 3eace52bc1cd6d43a0345747b0227b86b5b8ab36154373f6db50879cb6a6572e
Instruction Fuzzy Hash: 59313830A0865D8FDB94EF28C8446EE73F2FB99315F5005BAD40DD7295CB39AA51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF52CB8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48c0f1d7ff9aa93791e4fdebd1f9b0dad1c3573d85a77b78dcd2e359162de16
Instruction ID: 79bf26350cacd1d9fb5d7f8cb6ae2e2fbc009888bcc7813f3a9c4831ed131518
Opcode Fuzzy Hash: e48c0f1d7ff9aa93791e4fdebd1f9b0dad1c3573d85a77b78dcd2e359162de16
Instruction Fuzzy Hash: 45316F30A0860D8FDB98DF58C8546ED77F1FF59314F50057AE41AE3295CB39A952CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF52CC8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80b7bc65dbcdd9271d5e9877351d64eba3459d106f69f86e3adfdf0e15d0db7
Instruction ID: 7e7671bd66340009d860f4138eaaf4b7c332112170c7919ecc0e1b5f9ece1cf0
Opcode Fuzzy Hash: c80b7bc65dbcdd9271d5e9877351d64eba3459d106f69f86e3adfdf0e15d0db7
Instruction Fuzzy Hash: 75317A70E0461D8FDB54DF68D844AEEB7F1FF89300F1081BAE519E3295DA38AA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF53622, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17003ec404fdad78cc8960b91b61908f5ebfb83ac4e3980d38bc0949e73cee1f
Instruction ID: 3a0f0820286eb37e29760dd015fda86533039502c2872c46160932167a70b475
Opcode Fuzzy Hash: 17003ec404fdad78cc8960b91b61908f5ebfb83ac4e3980d38bc0949e73cee1f
Instruction Fuzzy Hash: 20218125D2C91647EB1C4A1888A21B8B6C0EF11301F4A46FDCDEB479D6DE1CE96246D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55630, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f368a6407fd1c97ed017dca6b505474bf3523b5f4e3c0fc2bd538e1afa4b8c
Instruction ID: e4d9c1b2cbf72c355d90ca8301a1ddc238a32e3d7732877775f1fe6b1a720366
Opcode Fuzzy Hash: 56f368a6407fd1c97ed017dca6b505474bf3523b5f4e3c0fc2bd538e1afa4b8c
Instruction Fuzzy Hash: C33190B4D1824E9BDF58DF94D8956FEBBB1BF58300F10456EE81AA3380DB386A50CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF59DAB, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa805de1a542011971fdfcc3ebf44d345222930b45d72bf989e874691cd06314
Instruction ID: ec015665586809ef90445a270633d75a6dea74f1e723488ddd08df32ee4289b7
Opcode Fuzzy Hash: aa805de1a542011971fdfcc3ebf44d345222930b45d72bf989e874691cd06314
Instruction Fuzzy Hash: B721811BA4E1565EE7567639B8461EDBFA0EF83331F1800F3E54889093DA5D2A8CC6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF56342, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87bd04c80b1a1ce19953d0321b76515f907b1159376f1d9e2001d8adc7d40a7
Instruction ID: 8f2f56cd4e180dbd5a42df9f328dcc70f9e5a3c20d688c536910a2c1e9dc4d55
Opcode Fuzzy Hash: d87bd04c80b1a1ce19953d0321b76515f907b1159376f1d9e2001d8adc7d40a7
Instruction Fuzzy Hash: A231C670D052198BEB58DFA9D881AADBBB2BF88300F6481A9D10D77356CB386941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55628, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8186e86168e79cd0ef6cb23f889da7b69522fb1f7e0fd9dd5e747c1f90898b8
Instruction ID: eca7896cb82c43b1fa974446aaa49bb49be17c681a228ddd34b22f4571f743db
Opcode Fuzzy Hash: d8186e86168e79cd0ef6cb23f889da7b69522fb1f7e0fd9dd5e747c1f90898b8
Instruction Fuzzy Hash: 983194B4D1525A9FDF58DF94D8656BEBBB1BF48300F10416ED816A2380DB786A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF52E9C, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0302b1afa11f1d6dfca663778347613e328a4cc5a8e2bb6d939379c2e3293297
Instruction ID: a274ef0355a12556ffc980f25cac832a964d75dc0f0cdba1a5da004b9ba78b03
Opcode Fuzzy Hash: 0302b1afa11f1d6dfca663778347613e328a4cc5a8e2bb6d939379c2e3293297
Instruction Fuzzy Hash: 92119F30B1C9198FD778DE68A855A7577D1FF54300B1243F5E44EC7291DE149C414B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF555E9, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c084b422fd5fa484b9a0462483d6e01661e002520c43ae23bb182d17a2199f
Instruction ID: 21eed8afe4c918093924e0be577f442605fc5856bfdfd6dacb968e9c434be279
Opcode Fuzzy Hash: 40c084b422fd5fa484b9a0462483d6e01661e002520c43ae23bb182d17a2199f
Instruction Fuzzy Hash: ED2180B4D1825A9FDF5CCF94D8A56BEBBB1BF58304F10446ED81AA3390CB386A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF53D84, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdc2ea3147f722151debf556ed6650667e091acee52961dc1c610834315a69e
Instruction ID: 4367431d49f04f071a858dd55445b5fd03aed80be5d7fdcfb51da5b3e5b51c15
Opcode Fuzzy Hash: ffdc2ea3147f722151debf556ed6650667e091acee52961dc1c610834315a69e
Instruction Fuzzy Hash: 6611A532E4892D8FEB91FB6898595ECB7E0FF58361B5401F6D44DD3242DE2D99418B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5C208, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee24c56b55835b046a26fc80e1728ced3edf4385800b5c8b84fdfeaf903a6d94
Instruction ID: e02b815142376c35cf902766291cf84acef6eeaa72793a00409f0ae40d44adff
Opcode Fuzzy Hash: ee24c56b55835b046a26fc80e1728ced3edf4385800b5c8b84fdfeaf903a6d94
Instruction Fuzzy Hash: 8F215E30A0865D8FDB54DF68C9446DE7BF1FB98310F0042AAD40DE7395DB789A54CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55312, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294633fe45ea2722313b97c785ac25f5feede3b1c32ce3bc90df467b967cfa73
Instruction ID: 4a12c5795ed19d0d801da51bb2f58a40822948020225f81baa21a01de426c0ae
Opcode Fuzzy Hash: 294633fe45ea2722313b97c785ac25f5feede3b1c32ce3bc90df467b967cfa73
Instruction Fuzzy Hash: B211AC31E1854D9BDB90AB649C222EEB7F1FF88310F4405F5E10DEB292DE286950C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5528B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e853939479ba74b25a4e6cdd8bf90d8608ebde472af37c1ff7de3482e4ee4f
Instruction ID: 7d90d780c13c983aa89d7c5e7b728cf8dd41fdf8d8cd951c8a28df3ade9bfd50
Opcode Fuzzy Hash: d5e853939479ba74b25a4e6cdd8bf90d8608ebde472af37c1ff7de3482e4ee4f
Instruction Fuzzy Hash: 80012131B0CA044FD748DA1CA4566A9B7E1FBD9321F04127FE04DD7662CE65A8418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50B13, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606706b9578d0e692b9c4ca80586de4ba2530d82d385ca739512f9155b70161f
Instruction ID: d939ad09c20472f49bb3c8732969486a59dc6004ffdbc72eed1bff68bb6a15ee
Opcode Fuzzy Hash: 606706b9578d0e692b9c4ca80586de4ba2530d82d385ca739512f9155b70161f
Instruction Fuzzy Hash: 9611F94048F7C21FE39343B899692923FEA9D8742070E41EBE5C8CE4A7C58E084AC323

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5044F, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9899f7c62f0e73cb866329ff40df5c0ca7b90dff3f156b0f50e3fecca329333
Instruction ID: 4a01709935ae7a14f7a95c7659b785d665329aedf5c5f1c7e4a202d9269c60df
Opcode Fuzzy Hash: c9899f7c62f0e73cb866329ff40df5c0ca7b90dff3f156b0f50e3fecca329333
Instruction Fuzzy Hash: E711E532D0E6899FD761AB78485A2FD7FE0FF45210F5404FBD44887592D93866448741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50B8B, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5177b586abe96cfd8c26fed250ddf897721bf552ac47a3c86d00f5b9685125
Instruction ID: 8099421f7e39216267324566dbc0663daa7262bdc4d448d7508892780d618070
Opcode Fuzzy Hash: ea5177b586abe96cfd8c26fed250ddf897721bf552ac47a3c86d00f5b9685125
Instruction Fuzzy Hash: CB01D43250DA9A0FD796923884A86A47BE1EF4675571801E7D08DCB5A3DE189C43C382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5089F, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec0ecbf546e5e16fff1318e96acd79e8f77e1635bdffd693607f6bbbaf5655f
Instruction ID: f1e28f6c8b31e4bfef14af794f7f4e5b7f2ab593f97eecf50fe2108332202f14
Opcode Fuzzy Hash: 1ec0ecbf546e5e16fff1318e96acd79e8f77e1635bdffd693607f6bbbaf5655f
Instruction Fuzzy Hash: 5A010C30A1891E8FEBD4EB1CD4A5BB9B3E1FF58311B1400A9E50DC7696DB28E851C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5042B, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f19ab577a1e6ccfba2da9ef6c76bc662eb3faa5532037fdb7aa353c65df8c0
Instruction ID: c9cd12f38d0567177c6cdf305059e5425aabdb9d623f8c6b5b7493d392b8a475
Opcode Fuzzy Hash: e4f19ab577a1e6ccfba2da9ef6c76bc662eb3faa5532037fdb7aa353c65df8c0
Instruction Fuzzy Hash: B301A121C0D68A9EE7A1AB74581A2FD7FE0FF05200F9404FBE84C86592DE3D66448741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55C8E, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a7e9e4d15f9574a9131173bf9eb80a64695314c653c7b4d59e5d33b0939960
Instruction ID: 723439ba6ac6b4e295340fc9a7f8ec5a648cfc73825f1d4da0d67ec75c657d41
Opcode Fuzzy Hash: 47a7e9e4d15f9574a9131173bf9eb80a64695314c653c7b4d59e5d33b0939960
Instruction Fuzzy Hash: 96115274A18A2D8FDFA8EF18C894BA9B7F1FB59300F5041E9904DE7651DB34A981CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5BB0C, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9bbe1fed3dfe2366dff4c2be5cfa19a5f2f5fcd0f3c695d3ba157477b9995
Instruction ID: 2fd69cc5262998f4ceeebe3bea056fe51b14746bd9096b1e3f4b1a15f077d56c
Opcode Fuzzy Hash: 05d9bbe1fed3dfe2366dff4c2be5cfa19a5f2f5fcd0f3c695d3ba157477b9995
Instruction Fuzzy Hash: 3D01BC7080E2C99FDB829F248C154E53FE0FF0A204F0401EAE84887192EA79A645CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55C1C, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095d3e64d7b64495422ecbe1d0350a19d46df463e5eee153084f4746abff3888
Instruction ID: 962b47652715bac725d667ef6d2b76bf07383a884b98b395bc202f2c0cc973bf
Opcode Fuzzy Hash: 095d3e64d7b64495422ecbe1d0350a19d46df463e5eee153084f4746abff3888
Instruction Fuzzy Hash: 84019734E1950D8FDB98EFA8C4956ADBBF1FF59301F60406DD40DE7292CA24A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5C2C3, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5815d68fcaaa3079534afad1db1b0d48fcfac2c5e337d1c501203e2657d47e9
Instruction ID: 2091acd0ed7e91bb05a479dbad9d4d7745d093b845541fc2641337950c186f49
Opcode Fuzzy Hash: c5815d68fcaaa3079534afad1db1b0d48fcfac2c5e337d1c501203e2657d47e9
Instruction Fuzzy Hash: 7401A534E046598FDB58DF98D994AEDB3F2FB99311F10416AD41EA7394CB38AE42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF55B48, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbefc230a19c6a8f4db1cbe917a296a7dbbe03f9cfad1bafb55419c29e375509
Instruction ID: 961dfc8c9ab2a7bb803fc250f3fe233dae4327e4a8100b46922d5a3e225be368
Opcode Fuzzy Hash: bbefc230a19c6a8f4db1cbe917a296a7dbbe03f9cfad1bafb55419c29e375509
Instruction Fuzzy Hash: FDF01D3085964D9FDB45EF28DC466E97BE0FB59314F010266F80CA3261DB78AA54C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF545DE, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a65d1b961482c81fa411e4afb12da73f1e459cd46d261978dcf87244a67989d
Instruction ID: 8431b83c7a829321c5b891cbbcc2b456749480e917a23d3e745dcd79610781a9
Opcode Fuzzy Hash: 8a65d1b961482c81fa411e4afb12da73f1e459cd46d261978dcf87244a67989d
Instruction Fuzzy Hash: D3F03012F095064FDB40E63CAC995EDB3C7DF8422275551F6D40ACB2A7EC7D9D464340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50BBD, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2d59551ac713d89fbac50c533226e52b4cfacc3f3eef1f02289a51df2a438e
Instruction ID: badde942ba3b6d44a44cee2d3bd3b718a9db12125cb111d61b217fe5660e8623
Opcode Fuzzy Hash: ae2d59551ac713d89fbac50c533226e52b4cfacc3f3eef1f02289a51df2a438e
Instruction Fuzzy Hash: EDF0150154FBD21FD38353B908782A9BFE59E8752870E00EBD488CB5E7C98D1D0AC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF54D7A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8f53de7cefb84015a45b9e5cfe70f44b8417dd4510c5f4a0db996f2f368345
Instruction ID: e88601a80eedc78ec583624e2d99645ce138949daa443b3a6dc01e9f7f95c89a
Opcode Fuzzy Hash: 9f8f53de7cefb84015a45b9e5cfe70f44b8417dd4510c5f4a0db996f2f368345
Instruction Fuzzy Hash: 8DE06D3170980A4FEB84F26CA8459F4B3D1EF5832171101B6D00EC7256DD2AED828740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5C9F2, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bc9078bda504a1d44a3b81218faebe6e1135474c115087ec09a8fae7d73ef8
Instruction ID: 1a857db59dc4dab59f541e726e1d316997d49204cde7cfcea6d2f4c6bd729280
Opcode Fuzzy Hash: c5bc9078bda504a1d44a3b81218faebe6e1135474c115087ec09a8fae7d73ef8
Instruction Fuzzy Hash: 28F0F930D0464D8FDB58EEA5C8A58ADBBF9FF59304B108169D51A6B242DA39A903CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF53AE8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20529a407c6341940bac7f9b79b2db9fd6e9f915d0f12478874af8672572f17
Instruction ID: 2530f75ac7acb70161e42652071fa3153d8f5796c2e968eaa041ddc86f2fa935
Opcode Fuzzy Hash: d20529a407c6341940bac7f9b79b2db9fd6e9f915d0f12478874af8672572f17
Instruction Fuzzy Hash: 57E0201270C84B4FFBA0365D7C894E477C0EB44260B4802F2DB5CC7156E81E5DC14310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF52CA8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef10560fa01053edc917d33d95cbf31b2e5a52fb52c2c144b627f2a3e9c4b445
Instruction ID: a2029cf4c0a99403750951d33ce64cc373397a5f1e06a14a501728a107396f53
Opcode Fuzzy Hash: ef10560fa01053edc917d33d95cbf31b2e5a52fb52c2c144b627f2a3e9c4b445
Instruction Fuzzy Hash: 1FF03A7081424DDBDB84EF28D8456E977E0FF48304F4005A9E80D83285DB38A650CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF506F9, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d720d5c91086def1e675332029829467237a1939089ecb7d6e9db72e3068e5ce
Instruction ID: 6cd9b9db8f69eedd69230ea26fc9355163fa7b96b6d0cf4883084ea29bad0198
Opcode Fuzzy Hash: d720d5c91086def1e675332029829467237a1939089ecb7d6e9db72e3068e5ce
Instruction Fuzzy Hash: 4DF0301161DBD44FE326833849797A27ED6AF96240F0D81EED0CEC7593C6AD69048752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50D19, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3eee7c1194a3da043f2cd87afc84d78afa57dab15481fe16419f020c452abc
Instruction ID: 2aa222e176d167a17402f80fe536605d3ad8642a8851f80ea010ebb8698be7f5
Opcode Fuzzy Hash: 2d3eee7c1194a3da043f2cd87afc84d78afa57dab15481fe16419f020c452abc
Instruction Fuzzy Hash: 36E09A347059088FDAA9EB1CD09CE6977E2FBAC30171604AAA44DC7366CE24DC018B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5CA4B, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbcdf0ff10f86680233e09e598d15e694b88f8b6b4b27c22f719712e5e9eb9c
Instruction ID: 56b0a88e6b79a2cc8439babb5a16fa1c05f6106b7da88abd5642c546778a92d0
Opcode Fuzzy Hash: 8cbcdf0ff10f86680233e09e598d15e694b88f8b6b4b27c22f719712e5e9eb9c
Instruction Fuzzy Hash: 96F0D434D0868D8FCB58DF99C8A58BDBBB4FF19700B10419DD8669B246CA34B812CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF535E6, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b90cdba46808ef35772bda60256b89999435bc73115f8319f5446e35d6c4a4
Instruction ID: 8401d877aa804926cd246b73aa38eca27aebf3841ba0df1e692a690257895681
Opcode Fuzzy Hash: e3b90cdba46808ef35772bda60256b89999435bc73115f8319f5446e35d6c4a4
Instruction Fuzzy Hash: 80D05E00F0DB164BE6A4710CA46633933C29B88B10F5442BAE90C93795CD2CBE0204C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF53A63, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90642601552a7a9253fc0e570a1b9e108c9b7372a7bd885b4fbfa9cddc979037
Instruction ID: 0165bbfff0bacf3f8ecb43ae95f5552ce28dc54a55ce432a8453e63651a77bbf
Opcode Fuzzy Hash: 90642601552a7a9253fc0e570a1b9e108c9b7372a7bd885b4fbfa9cddc979037
Instruction Fuzzy Hash: A0D01231E4440DDADB50E668E8551EC77B1FF84250F4442F6D40D9A241CE746A918680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50921, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06aa0c11b72d8c63bfe91fa6e65d8e66d26df17255a88e2fcb10a6b25bd2923a
Instruction ID: 5fea0a893fe1ab7145c77ef2c884c77a6bb0ff36c5fdd2c36871d58974a240c7
Opcode Fuzzy Hash: 06aa0c11b72d8c63bfe91fa6e65d8e66d26df17255a88e2fcb10a6b25bd2923a
Instruction Fuzzy Hash: D1D05B25E189194EAF50F798F4552FCB7E0FF54321F500177D50DD3541DE2C64518340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF524C5, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0ae719b4cfd53c8ccb341b12a0812a28c28d9e1310e50f9f05c8e275dbce42
Instruction ID: 82d47b7fa2e56ba1b4cb14784c1d0e7e4f3ceeb5296293959334b9a9abf50083
Opcode Fuzzy Hash: 2e0ae719b4cfd53c8ccb341b12a0812a28c28d9e1310e50f9f05c8e275dbce42
Instruction Fuzzy Hash: C1E0923192551D8FD784DB98CC946FEB7F1FF84300F9400A5C009AF296DA3469418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50C92, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6f4c27825dfb8ad3d7c85e93478098751fb9ffea7ce0d83dca9d8aaec5b4b4
Instruction ID: 0f1f93a364b16a6a0de64efc9c7452bd8480c7a53fc3c1c712161504f808fe23
Opcode Fuzzy Hash: 8e6f4c27825dfb8ad3d7c85e93478098751fb9ffea7ce0d83dca9d8aaec5b4b4
Instruction Fuzzy Hash: 00D09E217489094FCAE5EB6C90A8B6827D2EF9875071902BAD04DC7277CE20DC828741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5052A, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcca39d4b53bb1856f101c73a1a736e23c0217229c2d092abc1e8fc705eaf58c
Instruction ID: b00b9e7831a962ad9e0e212ad5d9bab645c1cbcfe476d31f60119255462953bf
Opcode Fuzzy Hash: dcca39d4b53bb1856f101c73a1a736e23c0217229c2d092abc1e8fc705eaf58c
Instruction Fuzzy Hash: 84D0172691481A4EE780E768A9522FDA3F1FF45260B500AB9C00EE65C2DE282941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5A61C, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e716391802c215ba20888d3d852924dc7ca3dd7dff6d475b665190b53ac91a6e
Instruction ID: bdce3bd9da3ac0fbcf5aef07065ca79c400926652382d5ea62dfc9a38731ac5c
Opcode Fuzzy Hash: e716391802c215ba20888d3d852924dc7ca3dd7dff6d475b665190b53ac91a6e
Instruction Fuzzy Hash: E5E0C270D1451E8ED7A8EB68C9917ACA3B1BF04241F4085FAD01EB6692DE342A809F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50C65, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765ae1785d115a9f97da02333c68b78f6b9851c39809e049469b570f4ff59d7c
Instruction ID: 2bd10c756d48688b74227dc881195609881c6fd22e50b637494371a4cf83557c
Opcode Fuzzy Hash: 765ae1785d115a9f97da02333c68b78f6b9851c39809e049469b570f4ff59d7c
Instruction Fuzzy Hash: A6D05E20304C094FC5E4EB0C80A8AB533D2FFA834072900A6A00DC3276CF20EC828340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50CBF, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f3963f7b8fe88410baa2369d8c8e07d6482a4be7409afd8ddeaad0c51403f4
Instruction ID: b7667c842e32403115cc8298b3c305bfc65b36c27ecdf79f3091fe71176f9c06
Opcode Fuzzy Hash: 36f3963f7b8fe88410baa2369d8c8e07d6482a4be7409afd8ddeaad0c51403f4
Instruction Fuzzy Hash: 2BD09E35708D094FCAE5EA1C90A8AB573D2FF983517590565944ED7376CE24EC82C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50CEC, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913933935e25c7790d550dcb9ec286e2db02d4fe5d0891a6bd2b6d4c5be58ee4
Instruction ID: d1a752d51c1443f78cae21f6c549f4702c66448c9b4d3b34639a49219504004e
Opcode Fuzzy Hash: 913933935e25c7790d550dcb9ec286e2db02d4fe5d0891a6bd2b6d4c5be58ee4
Instruction Fuzzy Hash: FDD09E31748C094FDA96EB1CD098AB463D2FB983117590565D44DD7376CE24EC818B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5B0E1, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574cca092dff03d1e8010c21dbb84b2c817c742f31fbb77a40bca2ba6035c5af
Instruction ID: ea3e72e8a3b763f75ff6778db391c05d1253b9bd7640446d379589d23dd8ca8d
Opcode Fuzzy Hash: 574cca092dff03d1e8010c21dbb84b2c817c742f31fbb77a40bca2ba6035c5af
Instruction Fuzzy Hash: 15D01230914A0D4FDBD4EB14C8507E9B3A2FF54300F4051E5901ED7162DE34ADC5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5AD93, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed2ada29c65b4a2077d834b0b17cdb939b74b0907a5adfe4921d2075fa0ba65
Instruction ID: fec8c57b995f04e1cf76cffeffb1e192a4bc19fae4e2fd8f0a8d2f9be9866515
Opcode Fuzzy Hash: aed2ada29c65b4a2077d834b0b17cdb939b74b0907a5adfe4921d2075fa0ba65
Instruction Fuzzy Hash: B6E0EC70C146198EDB98EB64C8A5BACF7B1FB1A200F0091EAC00EE7292DE342585CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF527B8, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43339edde5926b29a42a9871f799fb0909c2bc6b9b07d7ab9c0a321aa0813db6
Instruction ID: 3ab97d49ea725b19ec3492d65b3cf4cdc2d74d10057932e8e3670b39c499bb74
Opcode Fuzzy Hash: 43339edde5926b29a42a9871f799fb0909c2bc6b9b07d7ab9c0a321aa0813db6
Instruction Fuzzy Hash: B4C08010D0F54616DF16737564514E577D0DF13114B0514F5D06DCA097DC5DD9C6C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF53C20, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43932dfc921abc5fdbd1b3fe1ff65684e8aa177575d645cb8cfc254fdf77d589
Instruction ID: 631f081a19facc063847dc4dd30be8863f2100dd0c33ecdd9fa013d80a8466e7
Opcode Fuzzy Hash: 43932dfc921abc5fdbd1b3fe1ff65684e8aa177575d645cb8cfc254fdf77d589
Instruction Fuzzy Hash: 70C09B14D6640A05FE58337D0D5A7F412C06F55214FC401F0EC4CC1581F84E56E95152

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50440, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f00f0feece6de50b991e04b4381edd13399ac738e197ecd66195026d3890fe
Instruction ID: 2118e08a101b5168a2d6a1b06fea5726ba941e7d812af5949a0e9e2d6950079b
Opcode Fuzzy Hash: 33f00f0feece6de50b991e04b4381edd13399ac738e197ecd66195026d3890fe
Instruction Fuzzy Hash: D5C08C14C1A1170AFF60323C1D9A1F963D0AF07318F8005F1EC8984082FE0D26D89152

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF50799, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1873a3052f8d51e9c6f727d80efa6c98df45171e10044c1f884b1f06a99ed3c9
Instruction ID: 441abc62f512b651651f70833ef539f2ebb2e712ca67c1432dc9de042a95aa03
Opcode Fuzzy Hash: 1873a3052f8d51e9c6f727d80efa6c98df45171e10044c1f884b1f06a99ed3c9
Instruction Fuzzy Hash: 7DC08C20B4CC0A2F8EC0EA2CC011EA973E2FB7834030046A4A00EC3A96CE28F98083C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5041A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72de39a0bd96dbd8648c73159a3657fdfbc8602eccac335b20c1ae573a440ef
Instruction ID: f19779bd25587b2c6edec33a36928d53110db9f09af7d82840a39a0526c174e9
Opcode Fuzzy Hash: e72de39a0bd96dbd8648c73159a3657fdfbc8602eccac335b20c1ae573a440ef
Instruction Fuzzy Hash: 99C08C04C1940604BA6435390C092B843C05F02209F8002F5DD8D82481FC0E23991012

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5318A, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e90d92e81dae6eaf08c900a7956b16394dbc6cc7dd0412a654e0003324856d
Instruction ID: e71dec1aa78a12319ec5fb901084312f5f19bb4442562cf9f6e0264bd979f30c
Opcode Fuzzy Hash: 63e90d92e81dae6eaf08c900a7956b16394dbc6cc7dd0412a654e0003324856d
Instruction Fuzzy Hash: 3CB09230904A88CFCF48FFA890D8A5C7FB0EB28301F020419D40ADA24ACA3884808B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF5AE5F, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0f91246841978efd69899689916941fd3567913b21af52ff8a27c6459f8cc3
Instruction ID: f4b138c6576544b455172f6a107e32b5fed19b4e2a7852e4a1f286e1b5a80cc2
Opcode Fuzzy Hash: ce0f91246841978efd69899689916941fd3567913b21af52ff8a27c6459f8cc3
Instruction Fuzzy Hash: 2BB01210E0250809D3D09F14001436C91D0F734100F5040E5800CD2191DD2014C0DB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFF2AF58633, Relevance: 7.6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

`_^$, xrefs: 00007FFF2AF5872A
`_^6, xrefs: 00007FFF2AF58772
`_^ , xrefs: 00007FFF2AF5871A
`_^2, xrefs: 00007FFF2AF58762
`_^4, xrefs: 00007FFF2AF5876A
`_^", xrefs: 00007FFF2AF58722

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID: `_^ $`_^"$`_^$$`_^2$`_^4$`_^6
API String ID: 0-2324174186
Opcode ID: 7955a1903c0b7d7fa0f898522bfb4d6c013d49b69395b12e4e4b39d85a0bf8c7
Instruction ID: 3e41fa822f5ec834447c34f8a288f250c944630a66ce296f92378ad33e2148f8
Opcode Fuzzy Hash: 7955a1903c0b7d7fa0f898522bfb4d6c013d49b69395b12e4e4b39d85a0bf8c7
Instruction Fuzzy Hash: BE41264A90D2499ADB057678A8C10FA6BD8FF12320F7910F6D1589F0A7DB982D8E82D5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2AF58638, Relevance: 7.6, Strings: 6, Instructions: 117COMMON

Download Yara Rule

Strings

`_^$, xrefs: 00007FFF2AF5872A
`_^6, xrefs: 00007FFF2AF58772
`_^ , xrefs: 00007FFF2AF5871A
`_^2, xrefs: 00007FFF2AF58762
`_^4, xrefs: 00007FFF2AF5876A
`_^", xrefs: 00007FFF2AF58722

Memory Dump Source

Source File: 00000000.00000002.251770236.00007FFF2AF50000.00000040.00000001.sdmp, Offset: 00007FFF2AF50000, based on PE: false

Similarity

API ID:
String ID: `_^ $`_^"$`_^$$`_^2$`_^4$`_^6
API String ID: 0-2324174186
Opcode ID: cb2eece710bcd00da33a593b2b5e5931006d4f97529f9090e0a31e82b447e522
Instruction ID: 7b1cee4f0e720f9c4a2a816b98704ba48f1286c5e81e5c5181e47001b481a314
Opcode Fuzzy Hash: cb2eece710bcd00da33a593b2b5e5931006d4f97529f9090e0a31e82b447e522
Instruction Fuzzy Hash: F931454690D25A9ADB017638B9C50FA2BD4EF03320F7810F2E0989F0A7CB582DCA82C5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report moni $@.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: moni $@.exe PID: 3516 Parent PID: 5680