Edit tour

Windows Analysis Report
avidump.exe

Overview

General Information

Sample name:	avidump.exe
Analysis ID:	1354146
MD5:	cdc9a6a2ad5ba647ae7a2e772fa40cc1
SHA1:	263dfa0e1367504da4549e3e412d98dc46aab607
SHA256:	81069462d3d01c052757a0e8033dddae459c2acf47a20b931a4a77b3855a537e
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Classification

Process Tree

System is w10x64

avidump.exe (PID: 892 cmdline: C:\Users\user\Desktop\avidump.exe MD5: CDC9A6A2AD5BA647AE7A2E772FA40CC1)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: avidump.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: avidump.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Fuzzytoo\Desktop\avidump\Debug\avidump.pdb source: avidump.exe

Source: C:\Users\user\Desktop\avidump.exe	Code function: 0_2_00F116C0		0_2_00F116C0
Source: C:\Users\user\Desktop\avidump.exe	Code function: 0_2_00F116C0		0_2_00F116C0

Source: C:\Users\user\Desktop\avidump.exe

Section loaded: msvcr100d.dll

Jump to behavior

Source: avidump.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean4.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03

Source: C:\Users\user\Desktop\avidump.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\avidump.exe C:\Users\user\Desktop\avidump.exe
Source: C:\Users\user\Desktop\avidump.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: avidump.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: avidump.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Fuzzytoo\Desktop\avidump\Debug\avidump.pdb source: avidump.exe

Source: C:\Users\user\Desktop\avidump.exe

Code function: 0_2_00F14400 LoadLibraryW,GetProcAddress,_getMemBlockDataString,lstrlenA,failwithmessage,failwithmessage,

0_2_00F14400

Source: avidump.exe

Static PE information: section name: .textbss

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\avidump.exe

Code function: 0_2_00F11023 IsDebuggerPresent,

0_2_00F11023

Source: C:\Users\user\Desktop\avidump.exe

Code function: 0_2_00F14400 LoadLibraryW,GetProcAddress,_getMemBlockDataString,lstrlenA,failwithmessage,failwithmessage,

0_2_00F14400

Source: C:\Users\user\Desktop\avidump.exe

Code function: 0_2_00F150B0 VirtualQuery,GetModuleFileNameW,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00F150B0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\avidump.exe	Code function: 0_2_00F14820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F14820
Source: C:\Users\user\Desktop\avidump.exe	Code function: 0_2_00F14A00 SetUnhandledExceptionFilter,	0_2_00F14A00
Source: C:\Users\user\Desktop\avidump.exe	Code function: 0_2_00F11069 SetUnhandledExceptionFilter,	0_2_00F11069

Source: C:\Users\user\Desktop\avidump.exe

Code function: 0_2_00F14CA0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00F14CA0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Domains and IPs

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1354146
Start date and time:	2023-12-05 19:26:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	avidump.exe
Detection:	CLEAN
Classification:	clean4.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target avidump.exe, PID 892 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: avidump.exe

Joe Sandbox View / Context

Instruction
jmp 00007F0544E91B64h
jmp 00007F0544E92A6Fh
jmp 00007F0544E92AEAh
jmp 00007F0544E93A13h
jmp 00007F0544E919E8h
jmp 00007F0544E93979h
jmp 00007F0544E93A16h
jmp 00007F0544E91871h
jmp 00007F0544E92D50h
jmp 00007F0544E911C7h
jmp 00007F0544E91772h
jmp 00007F0544E9149Dh
jmp 00007F0544E93980h
jmp 00007F0544E92B83h
jmp 00007F0544E8F4EEh
jmp 00007F0544E9393Bh
jmp 00007F0544E939EAh
jmp 00007F0544E939C7h
jmp 00007F0544E93932h
jmp 00007F0544E919DFh
jmp 00007F0544E93140h
jmp 00007F0544E93941h
jmp 00007F0544E9289Ch
jmp 00007F0544E939B5h
jmp 00007F0544E92F7Ch
jmp 00007F0544E939C9h
jmp 00007F0544E92CFCh
jmp 00007F0544E92E2Bh
jmp 00007F0544E92E38h
jmp 00007F0544E93931h
jmp 00007F0544E9397Ah
jmp 00007F0544E91967h
jmp 00007F0544E916FEh
jmp 00007F0544E938FFh
jmp 00007F0544E939B4h
jmp 00007F0544E92AF5h
jmp 00007F0544E92CD0h
jmp 00007F0544E93939h
jmp 00007F0544E91E66h
jmp 00007F0544E91963h

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38000	0x3c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0x459	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0x520	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x17720	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x381dc	0x1a0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.textbss	0x1000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x11000	0x58b4	0x5a00	False	0.3080295138888889	data	4.9005508617351	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17000	0x2071	0x2200	False	0.20438878676470587	data	2.487603845758131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x1dd44	0x200	False	0.072265625	data	0.42378437585596346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x38000	0x964	0xa00	False	0.369140625	data	4.317900375664463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0x459	0x600	False	0.18619791666666666	data	2.2532907567883185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a000	0x833	0xa00	False	0.46484375	data	4.255966405480478	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x39170	0x196	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.5738916256157636

DLL	Import
MSVCR100D.dll	?terminate@@YAXXZ, _controlfp_s, _invoke_watson, _unlock, __dllonexit, _crt_debugger_hook, _onexit, _except_handler4_common, _wmakepath_s, wcscpy_s, _wsplitpath_s, _initterm_e, _initterm, _CrtDbgReportW, _CrtSetCheckCount, __initenv, exit, _cexit, _XcptFilter, _exit, __getmainargs, _amsg_exit, __set_app_type, _fmode, _commode, __setusermatherr, _configthreadlocale, _CRT_RTC_INITW, fopen_s, strcpy_s, strcat_s, fclose, feof, memcmp, printf, _fseeki64, _ftelli64, fprintf, _lock, fread
KERNEL32.dll	GetModuleHandleW, VirtualQuery, GetModuleFileNameW, GetProcessHeap, HeapAlloc, HeapFree, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, DecodePointer, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, LoadLibraryW, GetProcAddress, lstrlenA, RaiseException, MultiByteToWideChar, IsDebuggerPresent, WideCharToMultiByte, HeapSetInformation, InterlockedCompareExchange, Sleep, InterlockedExchange, EncodePointer, FreeLibrary

?terminate@@YAXXZ, _controlfp_s, _invoke_watson, _unlock, __dllonexit, _crt_debugger_hook, _onexit, _except_handler4_common, _wmakepath_s, wcscpy_s, _wsplitpath_s, _initterm_e, _initterm, _CrtDbgReportW, _CrtSetCheckCount, __initenv, exit, _cexit, _XcptFilter, _exit, __getmainargs, _amsg_exit, __set_app_type, _fmode, _commode, __setusermatherr, _configthreadlocale, _CRT_RTC_INITW, fopen_s, strcpy_s, strcat_s, fclose, feof, memcmp, printf, _fseeki64, _ftelli64, fprintf, _lock, fread

KERNEL32.dll

GetModuleHandleW, VirtualQuery, GetModuleFileNameW, GetProcessHeap, HeapAlloc, HeapFree, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, DecodePointer, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, LoadLibraryW, GetProcAddress, lstrlenA, RaiseException, MultiByteToWideChar, IsDebuggerPresent, WideCharToMultiByte, HeapSetInformation, InterlockedCompareExchange, Sleep, InterlockedExchange, EncodePointer, FreeLibrary

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• avidump.exe
• conhost.exe

Click to jump to process

Click to jump to process

Behavior

• avidump.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	19:27:21
Start date:	05/12/2023
Path:	C:\Users\user\Desktop\avidump.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\avidump.exe
Imagebase:	0xf00000
File size:	39'936 bytes
MD5 hash:	CDC9A6A2AD5BA647AE7A2E772FA40CC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	19:27:21
Start date:	05/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00F116C0 Relevance: 188.8, APIs: 65, Strings: 42, Instructions: 1523COMMON

Download Yara Rule

APIs

_ftelli64.MSVCR100D(?), ref: 00F11702
fread.MSVCR100D(00000000,00000004,00000001,?), ref: 00F11737
fread.MSVCR100D(?,00000004,00000001,?), ref: 00F117A7
_ftelli64.MSVCR100D(?), ref: 00F117DD
printf.MSVCR100D(%016llx/%d/%d,?,?,?,?), ref: 00F11821
fprintf.MSVCR100D(?,frame %d length %d,?,?), ref: 00F11854
_fseeki64.MSVCR100D(?,?,00000000,00000001), ref: 00F11884
fprintf.MSVCR100D(?,found frames %d,?), ref: 00F118FA
fread.MSVCR100D(?,00000004,00000001,?), ref: 00F11939
_fseeki64.MSVCR100D(?,?,00000000,00000001), ref: 00F11978
fread.MSVCR100D(?,00000004,00000001,?), ref: 00F119E2
fread.MSVCR100D(?,00000004,00000001,?), ref: 00F11A7E

Strings

idx1, xrefs: 00F119A8
FIEL, xrefs: 00F11AED
AVI, xrefs: 00F11CB7, 00F11CF0
Tdat, xrefs: 00F1251D
tc_O, xrefs: 00F12576
Avi Header Frames %d, xrefs: 00F120AA
AVIX, xrefs: 00F11CDD
ISFT, xrefs: 00F11DB1
type %s, xrefs: 00F11EA5, 00F1280F, 00F128E7
frame %d length %d, xrefs: 00F11848
found frames %d, xrefs: 00F118EE
odml, xrefs: 00F11E4C
rate %d, xrefs: 00F12481
%016llx, xrefs: 00F128C0
strh, xrefs: 00F123C3
movi, xrefs: 00F12909
Avi Header X %d, Y %d, xrefs: 00F1207C
JUNK, xrefs: 00F11D16
INFO, xrefs: 00F1222B
pointer %x, xrefs: 00F1296E
LIST, xrefs: 00F1219E
Total stream frames %d, xrefs: 00F124AF
AviHeader Bad, Length wrong %d Pushing on to use stream header, xrefs: 00F120EB
_PMX, xrefs: 00F11C09
StreamHeader Bad, Bytes per pixel wrong %d, xrefs: 00F124F6
strf, xrefs: 00F12731
strl, xrefs: 00F1236A
ICRD, xrefs: 00F12284
ix00, xrefs: 00F127F4
%016llx/%d/%d, xrefs: 00F1181C
Cr8r, xrefs: 00F11B7B
AVI , xrefs: 00F11CA4
tc_A, xrefs: 00F12670
avih, xrefs: 00F11FB7
hdrl, xrefs: 00F11F5E
RIFF, xrefs: 00F12111
00db, xrefs: 00F1176D
00ix1, xrefs: 00F1191A
unknown in list, xrefs: 00F12943
dmlh, xrefs: 00F11EC7
00dc, xrefs: 00F11784
indx, xrefs: 00F11A5F

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: fread$_fseeki64_ftelli64fprintf$printf
String ID: %016llx$%016llx/%d/%d$00db$00dc$00ix1$AVI$AVI $AVIX$Avi Header Frames %d$Avi Header X %d, Y %d$AviHeader Bad, Length wrong %d Pushing on to use stream header$Cr8r$FIEL$ICRD$INFO$ISFT$JUNK$LIST$RIFF$StreamHeader Bad, Bytes per pixel wrong %d$Tdat$Total stream frames %d$_PMX$avih$dmlh$found frames %d$frame %d length %d$hdrl$idx1$indx$ix00$movi$odml$pointer %x$rate %d$strf$strh$strl$tc_A$tc_O$type %s$unknown in list
API String ID: 4135216957-4268034411
Opcode ID: d5b9b0d91c7dda48cc09ae01601b7cbcf8feae9179d02e3974d107fc3d22588d
Instruction ID: 50b18b113117ccbe4cbc1b0f2e3cff6e84ce6ebcbb8556c16ca45d1e3d6a3a82
Opcode Fuzzy Hash: d5b9b0d91c7dda48cc09ae01601b7cbcf8feae9179d02e3974d107fc3d22588d
Instruction Fuzzy Hash: A0C29E71E00208AFEB54EF6CCC42BEE77A5FB08710F408519FE19DB251E675D994AB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F150B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 273libraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00F150D5
GetModuleFileNameW.KERNEL32(?,?,?), ref: 00F150F2
GetProcAddress.KERNEL32(?,PDBOpenValidate5), ref: 00F15182

Strings

PDBOpenValidate5, xrefs: 00F1517C

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: AddressFileModuleNameProcQueryVirtual
String ID: PDBOpenValidate5
API String ID: 3975414188-413491164
Opcode ID: 0517b2ddc51a662a2003eab901e4f6f59fafa526610f35f3748b1d5cea6ee9e8
Instruction ID: 0113942fba5fa7e0c99fe65512b53ea02cefdb794fa48c884f21f27eeca98e56
Opcode Fuzzy Hash: 0517b2ddc51a662a2003eab901e4f6f59fafa526610f35f3748b1d5cea6ee9e8
Instruction Fuzzy Hash: 18917F75A00A0AEFDB10DFA4CC80EEEB7BAEF89B50F104159E9159B250D770ED81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F14A00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(J8), ref: 00F14A0A

Strings

J8, xrefs: 00F14A05

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: J8
API String ID: 3192549508-3332737933
Opcode ID: ada8ced0df6fe25cb18ed4519de964eef3db085fac1f380736978e158144c71a
Instruction ID: 806787e96eddfcb372ce2b78254bf27cbd5b28dfb86e8050865ed68d668ea966
Opcode Fuzzy Hash: ada8ced0df6fe25cb18ed4519de964eef3db085fac1f380736978e158144c71a
Instruction Fuzzy Hash: 00B0127125430C37420013E26C09807BB9DD7C47707410010B21C81001DC61D4015092

Uniqueness

Uniqueness Score: -1.00%

Function 00F11069 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c85f9bbf482d3e5d8293228ec2c11f29f83cb4c5aa752fc5643558bc124663
Instruction ID: 52405ff573efdbb20ece457efa213ab04d4066d4d2b0e5cce5d67384d4289c94
Opcode Fuzzy Hash: 50c85f9bbf482d3e5d8293228ec2c11f29f83cb4c5aa752fc5643558bc124663
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00F11023 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9d663b9bbf3eb831bcdda372a78648e176c179e187bd432e1c7ed134dd299b
Instruction ID: 6ae80c3bf934bce795b309c99b165838134d0711ca95b8dfcfd680edb4602799
Opcode Fuzzy Hash: 0c9d663b9bbf3eb831bcdda372a78648e176c179e187bd432e1c7ed134dd299b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00F133E0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 153stringCOMMON

Download Yara Rule

APIs

printf.MSVCR100D(output is stored in a new file with .txt appended), ref: 00F13415
printf.MSVCR100D(usage: avidump filename), ref: 00F1342C
fopen_s.MSVCR100D(?,?,00F17A34), ref: 00F1345E
strcpy_s.MSVCR100D(?,00000400,?), ref: 00F13480
strcat_s.MSVCR100D(?,00000400,.txt), ref: 00F134A3
fopen_s.MSVCR100D(00F1A26C,?,00F17A28), ref: 00F134D0
fprintf.MSVCR100D(?,dissassembly of %s,?), ref: 00F134FB
fprintf.MSVCR100D(?,expected frames %d,?), ref: 00F1352B
fprintf.MSVCR100D(?,processed frames %d,?), ref: 00F1354F
fclose.MSVCR100D(00000000), ref: 00F13565
fclose.MSVCR100D(?), ref: 00F135A1

Strings

usage: avidump filename, xrefs: 00F13427
dissassembly of %s, xrefs: 00F134EF
expected frames %d, xrefs: 00F1351F
could not open %s, xrefs: 00F1357D
.txt, xrefs: 00F13492
output is stored in a new file with .txt appended, xrefs: 00F13410
processed frames %d, xrefs: 00F13543

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: fprintf$fclosefopen_sprintf$strcat_sstrcpy_s
String ID: .txt$could not open %s$dissassembly of %s$expected frames %d$output is stored in a new file with .txt appended$processed frames %d$usage: avidump filename
API String ID: 3403244542-1888248713
Opcode ID: d305d17c6cafcc22166ca1d838a61cf878515e75cce4cfa83a449cf518ad5674
Instruction ID: 4f5e8b4d2277bcb58a86a1b81fa24152095fa5b2937657d39d086109ea82a3ed
Opcode Fuzzy Hash: d305d17c6cafcc22166ca1d838a61cf878515e75cce4cfa83a449cf518ad5674
Instruction Fuzzy Hash: 4151C672E012186FCB60BB58DC47AEDB769EB04710F454155FF0AA7361C93A9E84ABC3

Uniqueness

Uniqueness Score: -1.00%

Function 00F15550 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ADVAPI32.DLL,?), ref: 00F1556B
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00F15593

Strings

RegQueryValueExW, xrefs: 00F155B0
MSPDB100.DLL, xrefs: 00F156A5
RegCloseKey, xrefs: 00F155BE
EnvironmentDirectory, xrefs: 00F15622
\, xrefs: 00F1566F
SOFTWARE\Microsoft\VisualStudio\10.0\Setup\VS, xrefs: 00F155D7
ADVAPI32.DLL, xrefs: 00F15566
RegOpenKeyExW, xrefs: 00F1558D

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ADVAPI32.DLL$EnvironmentDirectory$MSPDB100.DLL$RegCloseKey$RegOpenKeyExW$RegQueryValueExW$SOFTWARE\Microsoft\VisualStudio\10.0\Setup\VS$\
API String ID: 2574300362-326676442
Opcode ID: 9a9c97c03ff5e112b355da5b84263bfcc87cb2dfd878f657e6f1a2d0714f3c35
Instruction ID: c620c378239075bcae6744213288967af74cd29492da7e1a4529c62dbf58acf0
Opcode Fuzzy Hash: 9a9c97c03ff5e112b355da5b84263bfcc87cb2dfd878f657e6f1a2d0714f3c35
Instruction Fuzzy Hash: 0C413A70A0161CCBCB24DF59DD48AD9B3A6EF98764F15819AE80993250DF70CE82AF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F13100 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 173COMMON

Download Yara Rule

APIs

fread.MSVCR100D(00F1A3A8,00000008,00000001,?), ref: 00F13137
fprintf.MSVCR100D(?,RIFF %d,00000000), ref: 00F13188
fread.MSVCR100D(00F1A3A8,00000004,00000001,?), ref: 00F131A7

Strings

pointer %x, xrefs: 00F132AE
unknown in raw, xrefs: 00F13279
LIST, xrefs: 00F13245
RIFF, xrefs: 00F1315C
RIFF %d, xrefs: 00F1317D

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: fread$fprintf
String ID: LIST$RIFF$RIFF %d$pointer %x$unknown in raw
API String ID: 2176144599-3481428552
Opcode ID: bb978c8c04139ccc23715edaf853670bd3439a27cd52a4b93810d511c7451827
Instruction ID: f35518f18d56d433b62505b6550f5e846d9dd3ac606e2c04199d3d4a795056ec
Opcode Fuzzy Hash: bb978c8c04139ccc23715edaf853670bd3439a27cd52a4b93810d511c7451827
Instruction Fuzzy Hash: BF51C772E042147BEB20BB68DC47BE97669AB08750F404014FE19E7351E57ADEC4A7D3

Uniqueness

Uniqueness Score: -1.00%

Function 00F11440 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 120COMMON

Download Yara Rule

APIs

_ftelli64.MSVCR100D(00000000), ref: 00F11482
fprintf.MSVCR100D(?,%016llx: ,00000000), ref: 00F114A2
fread.MSVCR100D(00F1A3A8,00000010,00000001,00000000), ref: 00F114C1
fprintf.MSVCR100D(?,%02X ,?), ref: 00F11510
fprintf.MSVCR100D(?,%c ,?), ref: 00F1156D
fprintf.MSVCR100D(?,00F17740), ref: 00F1158C
fprintf.MSVCR100D(?,00F1773C), ref: 00F115AB

Strings

%c , xrefs: 00F11561
%016llx: , xrefs: 00F11496
%02X , xrefs: 00F11504

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: fprintf$_ftelli64fread
String ID: %016llx: $%02X $%c
API String ID: 493066381-3845985378
Opcode ID: d501b57f7561e1a4450a567f2f8f4b52e3f596a82b8f13d28ff559b9222fa0c1
Instruction ID: ea0ac22af9e01ed6483a1a250e1fc2a1b5eac8a4fde538d1624aeafb4b7a31fd
Opcode Fuzzy Hash: d501b57f7561e1a4450a567f2f8f4b52e3f596a82b8f13d28ff559b9222fa0c1
Instruction Fuzzy Hash: F341B432E05228ABDB20A758DC467EDB7B5BB05750F444141FA0AB7351C72A9984BBE3

Uniqueness

Uniqueness Score: -1.00%

Function 00F15420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(MSVCR100D.dll,00000000,?), ref: 00F15469
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F1548C
LoadLibraryW.KERNEL32(?), ref: 00F154B8
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F154CC
LoadLibraryW.KERNEL32(?), ref: 00F154F8

Strings

MSVCR100D.dll, xrefs: 00F15464

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: Module$FileLibraryLoadName$Handle
String ID: MSVCR100D.dll
API String ID: 2349647968-3445637155
Opcode ID: 0e95e8b07e91c1fbcf11f600d388f67f3eeaf01c7e3b8dfdb048f5ecb536169f
Instruction ID: 12bc4d8ea1b1b3af3d149b83f515eca2507ecf0416b6a524fe99d05be736f10e
Opcode Fuzzy Hash: 0e95e8b07e91c1fbcf11f600d388f67f3eeaf01c7e3b8dfdb048f5ecb536169f
Instruction Fuzzy Hash: 9C2107B1E0030CDADB30E7748D05FEA37699BC4B60F4441A5AE05D2081EE79DAC8EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F11467 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_ftelli64.MSVCR100D(00000000), ref: 00F11482
fprintf.MSVCR100D(?,%016llx: ,00000000), ref: 00F114A2
fread.MSVCR100D(00F1A3A8,00000010,00000001,00000000), ref: 00F114C1
fprintf.MSVCR100D(?,%02X ,?), ref: 00F11510
fprintf.MSVCR100D(?,%c ,?), ref: 00F1156D
fprintf.MSVCR100D(?,00F17740), ref: 00F1158C
fprintf.MSVCR100D(?,00F1773C), ref: 00F115AB

Strings

%016llx: , xrefs: 00F11496

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: fprintf$_ftelli64fread
String ID: %016llx:
API String ID: 493066381-511893447
Opcode ID: 3ad5e6493208e2329542a577b54951b09d0663ba9915dc13dd18567a644f63f1
Instruction ID: 68d19005521f93231ff4fcb37daeb20e19bb6b2eedf4df8767a943313062dc49
Opcode Fuzzy Hash: 3ad5e6493208e2329542a577b54951b09d0663ba9915dc13dd18567a644f63f1
Instruction Fuzzy Hash: 7D018F32A002186BDB60AB68DC42BE9B7AAEB04750F444051FE19A7341D62A9DD06AD3

Uniqueness

Uniqueness Score: -1.00%

Function 00F13E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

failwithmessage.LIBCMTD ref: 00F13E57

Part of subcall function 00F13EA0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00F13F0D
Part of subcall function 00F13EA0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000), ref: 00F13F28
Part of subcall function 00F13EA0: DebuggerProbe.LIBCMTD ref: 00F13F4B
Part of subcall function 00F13EA0: DebuggerRuntime.LIBCMTD ref: 00F13F6E
Part of subcall function 00F13EA0: IsDebuggerPresent.KERNEL32 ref: 00F13F9F

failwithmessage.LIBCMTD ref: 00F13E77

Strings

Unknown Runtime Check Error, xrefs: 00F13E61, 00F13E66

Memory Dump Source

Source File: 00000000.00000002.3279158110.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.3279146733.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279168765.0000000000F17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279179635.0000000000F38000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3279191609.0000000000F39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_avidump.jbxd

Similarity

API ID: Debugger$ByteCharMultiWidefailwithmessage$PresentProbeRuntime
String ID: Unknown Runtime Check Error
API String ID: 3941055102-2722348778
Opcode ID: 77f307a5fb98d231abab383efe336a1c6ede7c433416f50d99c47c1f131c8241
Instruction ID: 82cbd0994a55eac1d44aa55c5c8a74bc18936fc1065790b4a83a05f2782cf8cb
Opcode Fuzzy Hash: 77f307a5fb98d231abab383efe336a1c6ede7c433416f50d99c47c1f131c8241
Instruction Fuzzy Hash: D5E06DB59002086BEB04EA5CEC55EAB33AED7C8734F548244F51C87292E636EEA55760

Uniqueness

Uniqueness Score: -1.00%

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.760960775646094
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	avidump.exe
File size:	39'936 bytes
MD5:	cdc9a6a2ad5ba647ae7a2e772fa40cc1
SHA1:	263dfa0e1367504da4549e3e412d98dc46aab607
SHA256:	81069462d3d01c052757a0e8033dddae459c2acf47a20b931a4a77b3855a537e
SHA512:	d006fd8874fca45af768e2598012c2a96ad00a0802c68b127d2d3e83ca970ed8784aa38c39409ef35696179d278dd6bb47a65e1b55b0bcf53723067999d37bb5
SSDEEP:	768:x6Rv+/i0P/jhx5SpHQZI3VJRPMrQAgBo06PsJXf30UIGgt7BjB:x+BN/JXf30U+
TLSH:	35030862A600CC3AD2B1C4B655AA6EE751ADF9F40F54D1F323E40EF91D10AE1A43B64E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4..]4..]4..]/7$]7..]/7.]&..]=.+]6..]4..]q..]/7.]=..]/7"]5..]/7%]5..]Rich4..]................PE..L...r.\e.................Z.

Entrypoint:	0x41112c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x655CFF72 [Tue Nov 21 19:05:22 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9a690d1f62e03577371c8a779777760e

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre


Icon Hash:	00928e8e8686b000

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report avidump.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: avidump.exePID: 892, Parent PID: 1028

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Windows Analysis Report
avidump.exe