Edit tour

Windows Analysis Report
filedata.exe

Overview

General Information

Sample name:	filedata.exe (renamed file extension from none to exe)
Original sample name:	filedata
Analysis ID:	1467815
MD5:	7794b42506387d60de24b9c86dc835ee
SHA1:	ef90fd11ba251cc7390993e7fb06627e1e35696c
SHA256:	fa341b1799bc1f666359ed075ef1873b3482ab24d9d6de7f2ec6b70b9faad717
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

filedata.exe (PID: 5168 cmdline: "C:\Users\user\Desktop\filedata.exe" MD5: 7794B42506387D60DE24B9C86DC835EE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: filedata.exe

Avira: detected

Source: filedata.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: filedata.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\DevRepos\ProfessionalServices\PEAC\Projects\Custom\PSImport\obj\Debug\PEACPSImport.pdb source: filedata.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: filedata.exe, 00000000.00000002.3279089458.0000000000B32000.00000004.00000020.00020000.00000000.sdmp

Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: filedata.exe	String found in binary or memory: http://www.archivesystems.com/

Source: C:\Users\user\Desktop\filedata.exe

Code function: 0_2_0995D2A8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_0995D2A8

Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_0102C1B8	0_2_0102C1B8
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071EE0B0	0_2_071EE0B0
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E3F20	0_2_071E3F20
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E0F18	0_2_071E0F18
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E3F10	0_2_071E3F10
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E0F07	0_2_071E0F07
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09959A49	0_2_09959A49
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09956CA0	0_2_09956CA0
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09955C18	0_2_09955C18
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09959A49	0_2_09959A49
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09955C18	0_2_09955C18
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_09981348	0_2_09981348

Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.Remoting.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesystem.data.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279089458.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\000004B0\\OriginalFilename vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs filedata.exe
Source: filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs filedata.exe
Source: filedata.exe, 00000000.00000000.2032970445.0000000000650000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe
Source: filedata.exe	Binary or memory string: OriginalFilenamePEACPSImport.exe: vs filedata.exe

Source: filedata.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\filedata.exe

Mutant created: NULL

Source: filedata.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: filedata.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\filedata.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

File read: C:\Users\user\Desktop\filedata.exe

Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: filedata.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: filedata.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: filedata.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\DevRepos\ProfessionalServices\PEAC\Projects\Custom\PSImport\obj\Debug\PEACPSImport.pdb source: filedata.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: filedata.exe, 00000000.00000002.3279089458.0000000000B32000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_0102E732 push eax; ret		0_2_0102E739
Source: C:\Users\user\Desktop\filedata.exe	Code function: 0_2_071E64C0 push eax; iretd		0_2_071E6511

Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Memory allocated: 4960000 memory reserve \| memory write watch	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\filedata.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Users\user\Desktop\filedata.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\filedata.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\filedata.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	1 Input Capture	1 Virtualization/Sandbox Evasion	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
filedata.exe	100%	Avira	TR/Spy.Gen5

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.archivesystems.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	filedata.exe, 00000000.00000002.3279996737.0000000002961000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.archivesystems.com/	filedata.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467815
Start date and time:	2024-07-04 20:14:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	filedata.exe (renamed file extension from none to exe)
Original Sample Name:	filedata
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 4

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: filedata.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.491640943769623
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	filedata.exe
File size:	52'736 bytes
MD5:	7794b42506387d60de24b9c86dc835ee
SHA1:	ef90fd11ba251cc7390993e7fb06627e1e35696c
SHA256:	fa341b1799bc1f666359ed075ef1873b3482ab24d9d6de7f2ec6b70b9faad717
SHA512:	61652ff66159a8ca896387f753464b2682005c7fb0d06e2750b8cc51270970e6c7d6f433b237c6320bb20d0fcaa56770b2411e96b8173d84ea9a349a13442ca9
SSDEEP:	1536:6lefR7lFwtXkLEGa/57bM+wwx4QU3DNZ35zNy0p8s:6gfNlFekIGa/9Q+wwxfU3DNZ35x
TLSH:	4B33E601B7F84122F5BFAFF95DB195004BB9B9579A32C70C0A81A09E2E77B41C960B77
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............P.................. ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40e51e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6685FA8A [Thu Jul 4 01:27:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe394	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc524	0xc600	4d57dd99e1aa7b6d0f6818be39fdb724	False	0.4157986111111111	data	5.583386809314627	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x3e8	0x400	cb02860e29ff43e5bb56d55451bfe5e6	False	0.396484375	data	3.1531338705843135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	58ea253d3ad4b9c98bd4b7d8a39c1b6c	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x10058	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.41629955947136565

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: filedata.exePID: 5168, Parent PID: 1028

General

Target ID:	0
Start time:	14:15:45
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\filedata.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\filedata.exe"
Imagebase:	0x640000
File size:	52'736 bytes
MD5 hash:	7794B42506387D60DE24B9C86DC835EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: filedata.exePID: 5168, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.9%
Total number of Nodes:	163
Total number of Limit Nodes:	15

Executed Functions

Function 071E3F20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 071E4076

Strings

Hgq, xrefs: 071E43DD
Hgq, xrefs: 071E4497

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: Capture
String ID: Hgq$Hgq
API String ID: 1145282425-3391890871
Opcode ID: 9929b77b57197ac227336c700bbd32037f75bf1917a5ae06381180c6d4c5fb71
Instruction ID: 4476445f270289d87e5b054cf1925aba5d1d826e6682e0974eb9e947ffafaee7
Opcode Fuzzy Hash: 9929b77b57197ac227336c700bbd32037f75bf1917a5ae06381180c6d4c5fb71
Instruction Fuzzy Hash: B51271B0B002599FDB15EFB9C5506AEBBF6AFC8300F248569E409AB391DF349D42CB51

Function 071E3F10 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 071E4076

Strings

], xrefs: 071E3EB5

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: Capture
String ID: ]
API String ID: 1145282425-3352871620
Opcode ID: 1ca19c02f49bc2e803b836264e11e718cc163c9a1e00b93210e4bcd48cc43940
Instruction ID: 2e01daf126343369e42136c08f947224564686683425c93d95ea2c875d3816b3
Opcode Fuzzy Hash: 1ca19c02f49bc2e803b836264e11e718cc163c9a1e00b93210e4bcd48cc43940
Instruction Fuzzy Hash: BEE13FB4E00659CFDB25DFB5C944A9DBBF5FF89300F248269E505AB2A1DB31A981CF10

Function 09956CA0 Relevance: 1.9, Strings: 1, Instructions: 697
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fff?, xrefs: 09957317

Memory Dump Source

Source File: 00000000.00000002.3281096867.0000000009950000.00000040.00000800.00020000.00000000.sdmp, Offset: 09950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9950000_filedata.jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: 665c1400b401984e158c5caa2b7ad346b106b09084b7d157d4c1c0a04bd1d8c3
Instruction ID: eff0c9e161d3948152e28eec0956ede83d1eec9b0f774ad15f707dc2055030a8
Opcode Fuzzy Hash: 665c1400b401984e158c5caa2b7ad346b106b09084b7d157d4c1c0a04bd1d8c3
Instruction Fuzzy Hash: F4624A35800A1ADFCF11CFA0C884AD9B7B2FF99304F1586D5E9096B125EB71AAD5CF80

Function 09955C18 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281096867.0000000009950000.00000040.00000800.00020000.00000000.sdmp, Offset: 09950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9950000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c4f43c8ea4293d9bc3a007c0a68f844ad31acb5b8bef6f2a2d17e82b803e94
Instruction ID: f7e3fc1b48e67d50659f23e3c3e886f1396b88fee16564e6322af87aeb69d5ec
Opcode Fuzzy Hash: 64c4f43c8ea4293d9bc3a007c0a68f844ad31acb5b8bef6f2a2d17e82b803e94
Instruction Fuzzy Hash: C8523935910619CFCB21DF64C844BEAB7B5FF89300F1585D9E84AAB261EB31EA81CF41

Function 09959A49 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281096867.0000000009950000.00000040.00000800.00020000.00000000.sdmp, Offset: 09950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9950000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db36e35e5540fa0bde63f615228658817ae13e601e823bd31368c93205e76618
Instruction ID: 83aa2c52a25cd6b12451eebda5f8be636c77deb65b10ecad8cde4b461d78b216
Opcode Fuzzy Hash: db36e35e5540fa0bde63f615228658817ae13e601e823bd31368c93205e76618
Instruction Fuzzy Hash: 83322931900619CFDB21DF64C944BDAB7B2FF89300F5585E9E84EAB261DB71AA85CF40

Function 071EE0B0 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: af9b77820d719ac14eb3f5d5566a41569591f177f72f29f503f1d6c7677289ea
Instruction ID: f6ded71244302d9e0be10f3292272f72585c69b90e5a01d8506c34699405867a
Opcode Fuzzy Hash: af9b77820d719ac14eb3f5d5566a41569591f177f72f29f503f1d6c7677289ea
Instruction Fuzzy Hash: 0EF16CB4A0060ACFEB14DFA9C844B9DBBF5FF48304F158569E409AB3A1DB70E949CB51

Function 09981348 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281144805.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9980000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d947d42c04985f1ff8a98188023edfc52f31221d805dc80ba1bedbae61e37540
Instruction ID: a45d6129ef49faec01825ca2a8ba06bedec8f1f9abc58b8624acc743713227ad
Opcode Fuzzy Hash: d947d42c04985f1ff8a98188023edfc52f31221d805dc80ba1bedbae61e37540
Instruction Fuzzy Hash: 6BD1AA707046118FEB29EB75C450BAF77EAAF89700F14446EE186DB6A1DB35E802CB51

Function 0102D4C8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0102D72E

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf3deba1873387412254f2ff25021b47deee885b2f9c92c3b76be79a47d2c11a
Instruction ID: cc34891836959f5cd8dbc092ae588f688a17b7c1e3af44c18b918c8120f06590
Opcode Fuzzy Hash: cf3deba1873387412254f2ff25021b47deee885b2f9c92c3b76be79a47d2c11a
Instruction Fuzzy Hash: 5D8166B0A00B158FE764DF6AD44479ABBF1FF88304F10896DD48AD7A40E775E949CB90

Function 0102C53C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0102FBE2

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8442d49a3ada27b6672556814be0ba451c1697c9fe442d17346d225e93e69b70
Instruction ID: a384f9cdfea19f8d4d76af1e734ba0964a3a61516729c3fb57cfbe6dba1f40e8
Opcode Fuzzy Hash: 8442d49a3ada27b6672556814be0ba451c1697c9fe442d17346d225e93e69b70
Instruction Fuzzy Hash: 1351BDB1D0035A9FDB14CF9AC994ADEBBB5FF48350F24812AE819AB210D774A845CF90

Function 01027848 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff1b489fbe61fac01b511e4eec512694099f18db327ca3015513ae6a0a60af0
Instruction ID: e51fb29396f41bd817477ed3e3aa96fedcfa8050a76ca6a168eed6323d8f5f28
Opcode Fuzzy Hash: 7ff1b489fbe61fac01b511e4eec512694099f18db327ca3015513ae6a0a60af0
Instruction Fuzzy Hash: E241A2B49043048FE704DF61E554A6A3BF9FB89701F248029EA859B388CB795C01CF22

Function 01027780 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0102780F

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d40dc3581d65c9374b6f474381f61ca74034eddcba12940b6b0c504d34de0f3
Instruction ID: 3910fb7c5ab9df706ffc59fd132b1f0e0fad8869380822a7a7746589124de709
Opcode Fuzzy Hash: 0d40dc3581d65c9374b6f474381f61ca74034eddcba12940b6b0c504d34de0f3
Instruction Fuzzy Hash: 3A21E5B5D002599FDB10CFAAD884ADEBFF9EB48310F14841AE958A3350D378A954CF65

Function 071E47EC Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,071E5450,039642B4,029AB100), ref: 071E54E1

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 64673144f49a7d62d8d78614fdee4ac13c8fde8f7ef8b60af7497264081a5dd9
Instruction ID: d3473f52b7e21cc98d9ba85388fb36bda2506f37a7f29c356fa90e9b508ad5df
Opcode Fuzzy Hash: 64673144f49a7d62d8d78614fdee4ac13c8fde8f7ef8b60af7497264081a5dd9
Instruction Fuzzy Hash: 71214CB1D0020A8FDB10CF9AC848BEEFBF9EB88314F10842AD454A7250D778A944CFA5

Function 01027788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0102780F

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0405ad63bfcff435c84a30eddc3d424fd13c2fcdb0be34f53560d45cada4a379
Instruction ID: 18001a9c7ad52d04e686b3d0ef03273fc6f52603c02ef7734ae147dbb73de2c9
Opcode Fuzzy Hash: 0405ad63bfcff435c84a30eddc3d424fd13c2fcdb0be34f53560d45cada4a379
Instruction Fuzzy Hash: 9F21E3B5D002599FDB10CFAAD884ADEBBF8EB48310F14841AE958A3210D374A944CFA1

Function 071E5468 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,071E5450,039642B4,029AB100), ref: 071E54E1

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: e57c75a225bdf9aac007cd147c4d55cb2f7e7384ad30d5d670ec211d66c57da4
Instruction ID: 15e5c00a7745cf9a68a2f0e154ad906e6719d4d708870a8d4202d438414d9d56
Opcode Fuzzy Hash: e57c75a225bdf9aac007cd147c4d55cb2f7e7384ad30d5d670ec211d66c57da4
Instruction Fuzzy Hash: 55214CB1D0024A8FDB10CF9AC848BEEFBF9EB88310F14842AD454A7250D778A944CF61

Function 071ED2A0 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,071EE292,00000000,00000000,039642B4,029AB100), ref: 071EE6E0

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 60d85799ade86d9ef8cc03e8f59fe00f4c0a303b26b5d9b0dd415c90beeea625
Instruction ID: c00efe83fbe2dca51c1b5a4408e4513b6b65c8a46b16ca66e816262984438aff
Opcode Fuzzy Hash: 60d85799ade86d9ef8cc03e8f59fe00f4c0a303b26b5d9b0dd415c90beeea625
Instruction Fuzzy Hash: 3C1117B5C00259DFDB10CF9AD544BDEBBF8FB48310F10842AE958A3250D378A944CFA5

Function 0102C3C8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0102D7A9,00000800,00000000,00000000), ref: 0102D9BA

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1482c21f816d257a992b7f3c58ad2fbce85d57f4f24a5535a07161aaa45ad7d2
Instruction ID: bb4c0dd768e5ea092a8ddf2788560e32e95cfb9ca1eabe7ae019c97d1e6adab5
Opcode Fuzzy Hash: 1482c21f816d257a992b7f3c58ad2fbce85d57f4f24a5535a07161aaa45ad7d2
Instruction Fuzzy Hash: 241114B6D003198FDB10CF9AD448ADEFBF5EB88310F10842EE559A7200C375A945CFA5

Function 0102D948 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0102D7A9,00000800,00000000,00000000), ref: 0102D9BA

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d006e8efde1e9534cb071982bc11b9d3a80b00346d421666387c949d1f48bbb
Instruction ID: 09ec8a24fa2970b173ddde92280215f84886a4985c30db16c1cef67aa3104e20
Opcode Fuzzy Hash: 2d006e8efde1e9534cb071982bc11b9d3a80b00346d421666387c949d1f48bbb
Instruction Fuzzy Hash: 711103B6D003498FDB10CFAAD444A9EFBF5AB48310F10842EE959A7300C375A945CFA5

Function 071EE672 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,071EE292,00000000,00000000,039642B4,029AB100), ref: 071EE6E0

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 2e9392afdba015968a812ad28b0f2f45bc476b1ec80e0ba35890febbc0e7b603
Instruction ID: 860e614fabb3ac7cd975d5599f194cba21ba90058c7055b5bc407738648f07ac
Opcode Fuzzy Hash: 2e9392afdba015968a812ad28b0f2f45bc476b1ec80e0ba35890febbc0e7b603
Instruction Fuzzy Hash: 3511E4B5C0025A9FDB10CF9AD944BDEBBF8EB48320F10842AE958A3250D378A545DFA5

Function 071ED2B8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,071EE31F,00000000,039642B4,029AB100,00000000,?), ref: 071EEA7D

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 708503da191d1ab7b40dc08df92f824c22dd45ef638e3927decd6e6f5d5485f4
Instruction ID: c21d904c5c7a75e481bba9f4eccbe1959653aa47c97f4519f3303c8026ee7c3b
Opcode Fuzzy Hash: 708503da191d1ab7b40dc08df92f824c22dd45ef638e3927decd6e6f5d5485f4
Instruction Fuzzy Hash: 2611D3B5C047499FDB10DF9AD844BDEBBF8FB48310F10846AE958A3251D378A948CFA5

Function 071EEA10 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,071EE31F,00000000,039642B4,029AB100,00000000,?), ref: 071EEA7D

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8ffcdf77389ff45c92f5b064f2eece072cbd13747a1716c754f95d724ddbb64b
Instruction ID: 8d5b48eeda9736429e5bba112af24723248088474d91febaa8cb65fbfb614283
Opcode Fuzzy Hash: 8ffcdf77389ff45c92f5b064f2eece072cbd13747a1716c754f95d724ddbb64b
Instruction Fuzzy Hash: 421114B5C003499FDB10CF9AD884BDEFBF8EB48310F10842AE418A3240D378A649CFA5

Function 071E5B30 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 071E5B95

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8d2c15dad4c09d8832babf95b57dbbd43376a3fd37766e42a23761aa242fb340
Instruction ID: 3240d67c5215fe1fb73f0b35091377060ec304faafcd35964caed127a4b3f09b
Opcode Fuzzy Hash: 8d2c15dad4c09d8832babf95b57dbbd43376a3fd37766e42a23761aa242fb340
Instruction Fuzzy Hash: 2311F2B58003499FCB10CF9AD989BDEBBF8EB48324F14841AE958A7241D379A544CFA1

Function 0102D6C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0102D72E

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b895a45694c0a175ec216cab77bd2563feb350c2e86f2ca0d3a309cca075ea38
Instruction ID: f3b985d44f0357bf5ef3c3cc1ebad8d78fb8072fdb410e48a1f958a07e9c6965
Opcode Fuzzy Hash: b895a45694c0a175ec216cab77bd2563feb350c2e86f2ca0d3a309cca075ea38
Instruction Fuzzy Hash: 6411E0B5C00359CFDB10CF9AD448ADEFBF9EB88314F10846AD559A7210D379A545CFA1

Function 0102F6EC Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0102FD00,?,?,?,?), ref: 0102FD75

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5138eb68c8a65bc5f1ad2bc6ac2e4fd7eabd886f893f33ec7b354e11e08dc51b
Instruction ID: 73942ee8393a2917b66d59de81dd1a5eca673b63d936eff923c2082100c9dc11
Opcode Fuzzy Hash: 5138eb68c8a65bc5f1ad2bc6ac2e4fd7eabd886f893f33ec7b354e11e08dc51b
Instruction Fuzzy Hash: 5511F5B5800259DFDB10DF9AD449B9EBBF8EB48310F10845AE959A7210C374A944CFA1

Function 071E4780 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 071E4F95

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 993d843950ce19e93ed04ec5f54a1ef1972f9c70393448466a0b41512021c1df
Instruction ID: 55c2b2eea5a2e074bd3420e7347e4a8227a3c47adff34613bc1d633d5441cae2
Opcode Fuzzy Hash: 993d843950ce19e93ed04ec5f54a1ef1972f9c70393448466a0b41512021c1df
Instruction Fuzzy Hash: D81115B5C04749CFCB20DF9ED449B9EBBF8EB48310F108459E519A7250D374A944CFA5

Function 071ED2EC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,071EE3D7), ref: 071EEF45

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 086773fb7041cd51996513a48be127bd501f7795eee840b2ca8cbb83899c4259
Instruction ID: db531ff5740c817ed1f77d54d39cbd5ebc799787383eedb5f2f5277259152e32
Opcode Fuzzy Hash: 086773fb7041cd51996513a48be127bd501f7795eee840b2ca8cbb83899c4259
Instruction Fuzzy Hash: 1B11FEB5C04649CFDB20DF9AD848B9EFBF8EB48310F10846AE519B7250D378A548CFA5

Function 071EEEE0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,071EE3D7), ref: 071EEF45

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: cc6e3a503ae4ce3b1256bfbd5827da37c3a65a68c8dc53ac54fa1807009a9f59
Instruction ID: 3994bb3be08f488fcfd2514d8cedc6bb8e7a7fc829ce44e3a3a1ca8d05995932
Opcode Fuzzy Hash: cc6e3a503ae4ce3b1256bfbd5827da37c3a65a68c8dc53ac54fa1807009a9f59
Instruction Fuzzy Hash: E511F2B5C04649CFCB20CF9AD448BCEFBF8EB48310F10845AD419A3250D378A549CFA5

Function 071E4F38 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 071E4F95

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8173e4cb2035f51267961ab1ff436e21003eab1ac9fe5810439fff4a3290e70d
Instruction ID: 0163cc63627ac6de9036d39807ee2296c794e1f13b53754f7ef352130a4c1b57
Opcode Fuzzy Hash: 8173e4cb2035f51267961ab1ff436e21003eab1ac9fe5810439fff4a3290e70d
Instruction Fuzzy Hash: 4E1100B5C00349CFCB20DF9AD589B8EFBF8EB48324F24845AE518A7250D378A544CFA5

Function 071E5B38 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 071E5B95

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4254dd71da5b5635379017c5685afb9bce52a32f7d464a6b8f503645975d2399
Instruction ID: 0513dda2c386176ec4ab22cfccb80cf684bd50e120f3216ec0868fe605371dd9
Opcode Fuzzy Hash: 4254dd71da5b5635379017c5685afb9bce52a32f7d464a6b8f503645975d2399
Instruction Fuzzy Hash: 7311D0B5800349DFDB10DF9AD989BDEBBF8EB48324F10881AE558A7250C375A954CFA1

Function 099812F3 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281144805.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9980000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1285ef8a34d9e06f022697c1e0866fa5afeefb823cf008bdda21bdaf07b53c
Instruction ID: 212217ce6f63ade83adb4fbd2db8717f30fcd3d0f8c6f77410a352084feb3185
Opcode Fuzzy Hash: ab1285ef8a34d9e06f022697c1e0866fa5afeefb823cf008bdda21bdaf07b53c
Instruction Fuzzy Hash: D3C1A9707046118FDB29EB75C460BAF77EAAF89700F64446EE186CB6A1DF35E802CB51

Function 09981346 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281144805.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9980000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ea93104291d6e6cafe86f2bbf063c6473c7b795dd802851406abf87ab91108
Instruction ID: 1a68e5bf6c2ad9532eb812c8982f9c15355b717de9d9ca3a0c409f2fe572b5a9
Opcode Fuzzy Hash: 65ea93104291d6e6cafe86f2bbf063c6473c7b795dd802851406abf87ab91108
Instruction Fuzzy Hash: EAB189717006118FEB29EF75C460BAF77EAAF89700F64446DE186DB6A0DB35E802CB51

Function 099817F0 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3281144805.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9980000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1841d44821ed561baa21cd6d6a8cad06b24ffc42a23fdfa86ca44a0b793cedb
Instruction ID: a4d771c87037fbd55c36adc0717ad3bfb877579e932b2c73da415abb526c1d1a
Opcode Fuzzy Hash: b1841d44821ed561baa21cd6d6a8cad06b24ffc42a23fdfa86ca44a0b793cedb
Instruction Fuzzy Hash: E4B17830B012049FDB14EF69D590AAEB7FAEF89700F2444A9E546DB3A1CB31ED42CB50

Function 00D0D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe4c9ae572b794a47480e42f6d2f8ec44cebcfce496e91e382d27efe4fd71b8
Instruction ID: c28ad576d294c1f3ea0142ae543f4292074ba62f73f444dff9d4e5a5dfa53eee
Opcode Fuzzy Hash: 2fe4c9ae572b794a47480e42f6d2f8ec44cebcfce496e91e382d27efe4fd71b8
Instruction Fuzzy Hash: 0E2106B1504200DFDB05DF94D9C4B26BF66FB99318F34856EED090B296C336D856C6B1

Function 00D0D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead8ef08e1c2014e9e82e38c3ab3393494e44c383ad8dcc9a46bff5dd90d9e47
Instruction ID: be499f5820095e6fbb38f3ec47f6a06895ed8fad13007ca9e9c340e5d2687d6c
Opcode Fuzzy Hash: ead8ef08e1c2014e9e82e38c3ab3393494e44c383ad8dcc9a46bff5dd90d9e47
Instruction Fuzzy Hash: C62125B1504204EFDB05DF94D9C0B26BF66FB94324F24C56AE94D0B286C336E816C6B1

Function 00D1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279428454.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b2bbf868c74540b7c0cc6f4a46af28b5f14c6dd6c66e23d411278186ce279c
Instruction ID: 2114c70d2a54f61122334a9bd0b61df86f06b9c5e33710cbd586dc3231460d9b
Opcode Fuzzy Hash: 20b2bbf868c74540b7c0cc6f4a46af28b5f14c6dd6c66e23d411278186ce279c
Instruction Fuzzy Hash: 8821F575504240EFDB14DF14E9C4B56BB66EB88314F34C56DE84A4B286CB3AD887CA71

Function 00D1D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279428454.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3234f71ea977887f6c1e099f247fa2f9469bb2b92c2a1765e8d0b0db388b22
Instruction ID: d91fd1577d28ba649d3c9a64f5ce30120f187ae5c1405bb12cb0036c0bbf6741
Opcode Fuzzy Hash: 6f3234f71ea977887f6c1e099f247fa2f9469bb2b92c2a1765e8d0b0db388b22
Instruction Fuzzy Hash: 8C2149B1504204FFCB04CF54E5C0B56BB66FB84314F34C56DD8494B286CB36E886CA72

Function 00D1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279428454.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb99e07c538a34c5f5269a50ee98590b52dae003c8e09cb0312e7ccf94a4fc2
Instruction ID: f6807fc56c0802d7579d8ec4daae99572bc152e929fecfd2ddfbc3e9be450727
Opcode Fuzzy Hash: dfb99e07c538a34c5f5269a50ee98590b52dae003c8e09cb0312e7ccf94a4fc2
Instruction Fuzzy Hash: 602195755093C09FC702CF24D594715BF71EB46314F28C5DAD8498F6A7C33A984ACB62

Function 00D0D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 6ca5eeed2cc8d0681d967d91c43a4c79d041f76acb147b424bde6bf11d0158af
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: E611E676504240CFCB16CF54D9C4B16BF72FB95324F28C6AADD090B696C33AD85ACBA1

Function 00D0D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: fd7ce37f475bae56cec6965045ef8db0f948db3f65e34719c2cff39695546ae4
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 50112672404240DFCB02CF40D9C4B16FF72FB94320F28C5AAD8090B656C33AE85ACBA1

Function 00D1D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279428454.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: f140e9acd1afbd0ceb670d311b9c1d5b977eab7dc1a4fa7c41010d19406a9396
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: DC11D075504240DFCB01CF14E5C4B55BB72FB84314F28C6ADD8494B656C33AE84ACB61

Function 00D0D75D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a0f7917aec63de76a6a49f9f999fce44c611f3830834011f9822402627de5d
Instruction ID: 81808d2b4f0e044b0bb2173e209d7669a1da56454768c48586713555c189142e
Opcode Fuzzy Hash: d6a0f7917aec63de76a6a49f9f999fce44c611f3830834011f9822402627de5d
Instruction Fuzzy Hash: 2E01A7711093409EE7109A99DDC4766BF99DF91760F2CC85BED4E0A2C6C378D844C671

Function 00D0D5F3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe74a87af246c487268749c0453e6be57762a13939e09592358c60facd93569
Instruction ID: bd21978b220c59871c403ec536f8fe5b9c350d2d4baa721c91e75f6e0578a1bd
Opcode Fuzzy Hash: 3fe74a87af246c487268749c0453e6be57762a13939e09592358c60facd93569
Instruction Fuzzy Hash: ADF0F9B6200644AFD720CF4AD885C27FBAEEFD4770719C55AE84A4B752C672EC41CAB0

Function 00D0D75C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3582afa79a0154d99c03bd1b720956ad929d4cdbedcbb708ca41bbdb3089521
Instruction ID: a379fcf45c5863e63988bcef806a5cfddf5952f1eac424cf357783a80fd85698
Opcode Fuzzy Hash: e3582afa79a0154d99c03bd1b720956ad929d4cdbedcbb708ca41bbdb3089521
Instruction Fuzzy Hash: 30F09671404344AEE7108A1ADD84B63FFA8EF91734F18C45AED4D4B2D6C3799C44CA71

Function 00D0D5E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279366880.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0d000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1de8b189d8031a1298c7ddf3b292b48a01f7f9d71a3babc8ced1a1733e44baa
Instruction ID: f3b891472cb5ffd3edf5111fd4fda45dee44c0f7d16022c5dc1a1f3e8907971e
Opcode Fuzzy Hash: b1de8b189d8031a1298c7ddf3b292b48a01f7f9d71a3babc8ced1a1733e44baa
Instruction Fuzzy Hash: 1EF04F75104680AFD715CF56CC84C23BFB9EF85760719848AE88A4B362C631FC42CB70

Non-executed Functions

Function 0995D2A8 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 0995D2F5
GetKeyState.USER32(00000002), ref: 0995D33A
GetKeyState.USER32(00000004), ref: 0995D37F
GetKeyState.USER32(00000005), ref: 0995D3C4
GetKeyState.USER32(00000006), ref: 0995D409

Memory Dump Source

Source File: 00000000.00000002.3281096867.0000000009950000.00000040.00000800.00020000.00000000.sdmp, Offset: 09950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9950000_filedata.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 220c6e31f79eda81ebbecb3efa9e0251899a30348876016e36798357a7487e6d
Instruction ID: eecca467a7f3f6f8d2177fb51f8cbc83dd33315d0fa5c39b4d7c78b40e768167
Opcode Fuzzy Hash: 220c6e31f79eda81ebbecb3efa9e0251899a30348876016e36798357a7487e6d
Instruction Fuzzy Hash: 614163B1C017458EDB10DF99D55C3AFBFF4AB05709F208419D48AA6290D37A568ACFA2

Function 071E0F07 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5caf905b92bdabe27a6232d9626bc6adf7be44b15557b80f88d5867a3578fd3
Instruction ID: efa885c0abd38f09d17f5226579e38f4ddecded6dfed89ce62c817d21c5f614a
Opcode Fuzzy Hash: a5caf905b92bdabe27a6232d9626bc6adf7be44b15557b80f88d5867a3578fd3
Instruction Fuzzy Hash: 7FD1183182465A8ADB01EF68D99069DF771FF95300F60C79AE4493B254EF706AC5CF90

Function 071E0F18 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3280945440.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff99e5d77033ac4305e8ab0debd7efb87983a8c22ed5b5c492cf0b4f04889e1e
Instruction ID: 0884bf59d46660e843d5745596dd7e964ddfcec9bfe1a6e8000724ac84ea128f
Opcode Fuzzy Hash: ff99e5d77033ac4305e8ab0debd7efb87983a8c22ed5b5c492cf0b4f04889e1e
Instruction Fuzzy Hash: 77D1263182465A8ADB01EF68D99069DF7B1FF96300F60C79AE4493B254EF706AC5CF90

Function 0102C1B8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3279712165.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1020000_filedata.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2209947655eeb836da418d481479dae62a82141db5ecf715db33641a5b68db3
Instruction ID: ee5a424516895124e3b4c954d278b7ef36b917fadd5a6e16be8fd97497af1a4d
Opcode Fuzzy Hash: c2209947655eeb836da418d481479dae62a82141db5ecf715db33641a5b68db3
Instruction Fuzzy Hash: AEA18332E0022ACFDF19DFB4C9445DEBBB2FF85300B2545AAE945AB215DB35E945CB80

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report filedata.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: filedata.exePID: 5168, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: filedata.exePID: 5168, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 071E3F20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 530COMMON

Windows Analysis Report
filedata.exe

Function 071E3F20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 530
COMMON

Function 071E3F10 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 323
COMMON

Function 09956CA0 Relevance: 1.9, Strings: 1, Instructions: 697
COMMON

Function 0102D4C8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Function 0102C53C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 01027848 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON