Edit tour

Windows Analysis Report
a.exe

Overview

General Information

Sample name:	a.exe
Analysis ID:	1473196
MD5:	19aff0a43f80919a6113020d3ff38300
SHA1:	f0db6e0967c534fa0326c9db009d0f22e0112a6b
SHA256:	de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0
Tags:	exemeeting-equitaligaiustizia-it
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

PE file has a writeable .text section

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Detected non-DNS traffic on DNS port

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

a.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\a.exe" MD5: 19AFF0A43F80919A6113020D3FF38300)

cleanup

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.a.exe.400000.0.unpack	Pirpi_1609_A	Detects Pirpi Backdoor - and other malware (generic rule)	Florian Roth	0x460:$op1: 74 08 C1 CB 0D 03 DA 40 EB 0x44a:$op2: 03 F5 56 8B 76 20 03 F5 33 C9 49 0x472:$op3: 03 DD 66 8B 0C 4B 8B 5E 1C 03 DD 8B 04 8B 03 C5

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: a.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: a.exe	Virustotal: Detection: 75%			Perma Link
Source: a.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.9% probability

Machine Learning detection for sample

Source: a.exe

Joe Sandbox ML: detected

Source: a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:59159 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.4:60099 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:53727 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:59157 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 173.222.162.32 173.222.162.32

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\a.exe

Code function: 0_2_0042AB7A socket,bind,ioctlsocket,recv,

0_2_0042AB7A

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BKYog6EU1eMYTXH&MD=Y78V3DYp HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BKYog6EU1eMYTXH&MD=Y78V3DYp HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: themicrosoftnow.com

Source: a.exe, 00000000.00000002.3510834715.000000000049E000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a1
Source: a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a1O
Source: a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a2
Source: a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a2?
Source: a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a2F
Source: a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a2ON)Cu
Source: a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a2g
Source: a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://themicrosoftnow.com/?q=17e314a2o)bu

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 59159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59159

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:59159 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.a.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Detects Pirpi Backdoor - and other malware (generic rule) Author: Florian Roth

PE file has a writeable .text section

Source: a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00428C16	0_2_00428C16
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_004291A9	0_2_004291A9
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00428672	0_2_00428672
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_0042E3D1	0_2_0042E3D1
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00429795	0_2_00429795

Source: a.exe

Static PE information: No import functions for PE file found

Source: a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.a.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Pirpi_1609_A date = 2016-09-08, hash2 = 8caa179ec20b6e3938d17132980e0b9fe8ef753a70052f7e857b339427eb0f78, hash1 = 2a5a0bc350e774bd784fc25090518626b65a3ce10c7401f44a1616ea2ae32f4c, author = Florian Roth, description = Detects Pirpi Backdoor - and other malware (generic rule), reference = http://goo.gl/igxLyF, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: a.exe

Static PE information: Section .text

Source: classification engine

Classification label: mal76.winEXE@1/0@2/9

Source: C:\Users\user\Desktop\a.exe

Code function: 0_2_0042C51A CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

0_2_0042C51A

Source: C:\Users\user\Desktop\a.exe

Mutant created: \Sessions\1\BaseNamedObjects\__user__

Source: a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: a.exe	Virustotal: Detection: 75%
Source: a.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: msvcrt40.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: a.exe

Static PE information: real checksum: 0x17fb2 should be: 0xffd3

Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00401000 push esp; retf 91AFh	0_2_004012A7
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00420D68 push ebx; retf 0000h	0_2_00420D69
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00420E18 pushad ; iretd	0_2_00420E19
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_0042FEE0 push eax; ret	0_2_0042FF0E
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00420B7D push cs; retn 0000h	0_2_00420C1D

Source: a.exe

Static PE information: section name: .text entropy: 7.9026165840806435

Source: C:\Users\user\Desktop\a.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\a.exe

Code function: 0_2_00426CD0 rdtsc

0_2_00426CD0

Source: C:\Users\user\Desktop\a.exe

Last function: Thread delayed

Source: a.exe, 00000000.00000002.3510834715.000000000049E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\a.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\a.exe

Code function: 0_2_00426CD0 rdtsc

0_2_00426CD0

Source: C:\Users\user\Desktop\a.exe

Code function: 0_2_004269AE LdrLoadDll,

0_2_004269AE

Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_0040122B mov eax, dword ptr fs:[00000030h]	0_2_0040122B
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00426963 mov eax, dword ptr fs:[00000030h]	0_2_00426963
Source: C:\Users\user\Desktop\a.exe	Code function: 0_2_00426990 mov eax, dword ptr fs:[00000030h]	0_2_00426990

Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:07 - Check: explorer.exe 2580 Shell_TrayWnd
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:08 - Check: explorer.exe 2580 Shell_TrayWnd
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:06 - Check: explorer.exe 2580 Shell_TrayWnd
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:09 - Check: explorer.exe 2580 Shell_TrayWnd
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:08 - Check: explorer.exe 2580 Progman Program Manager
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:06 - Check: explorer.exe 2580 Progman Program Manager
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:07 - Check: explorer.exe 2580 Progman Program Manager
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:10 - Check: explorer.exe 2580 Progman Program Manager
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:09 - Check: explorer.exe 2580 Progman Program Manager
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:05 - Check: explorer.exe 2580 Progman Program Manager
Source: a.exe, 00000000.00000002.3511147119.00000000023F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06:49:10 - Check: explorer.exe 2580 Shell_TrayWnd

Source: C:\Users\user\Desktop\a.exe

Code function: 0_2_0042AB7A socket,bind,ioctlsocket,recv,

0_2_0042AB7A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Software Packing	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	3 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
a.exe	76%	Virustotal		Browse
a.exe	74%	ReversingLabs	Win32.Trojan.Leonem
a.exe	100%	Avira	HEUR/AGEN.1318542
a.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
themicrosoftnow.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://themicrosoftnow.com/?q=17e314a1O	0%	Avira URL Cloud	safe
http://themicrosoftnow.com/?q=17e314a1	0%	Avira URL Cloud	safe
http://themicrosoftnow.com/?q=17e314a2ON)Cu	0%	Avira URL Cloud	safe
http://themicrosoftnow.com/?q=17e314a2	0%	Avira URL Cloud	safe
http://themicrosoftnow.com/?q=17e314a2?	0%	Avira URL Cloud	safe
http://themicrosoftnow.com/?q=17e314a2F	0%	Avira URL Cloud	safe
http://themicrosoftnow.com/?q=17e314a2o)bu	0%	Avira URL Cloud	safe
http://themicrosoftnow.com/?q=17e314a2g	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
themicrosoftnow.com	unknown	unknown	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://themicrosoftnow.com/?q=17e314a1O	a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://themicrosoftnow.com/?q=17e314a1	a.exe, 00000000.00000002.3510834715.000000000049E000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://themicrosoftnow.com/?q=17e314a2	a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://themicrosoftnow.com/?q=17e314a2?	a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://themicrosoftnow.com/?q=17e314a2ON)Cu	a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://themicrosoftnow.com/?q=17e314a2F	a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://themicrosoftnow.com/?q=17e314a2o)bu	a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://themicrosoftnow.com/?q=17e314a2g	a.exe, 00000000.00000002.3510834715.00000000004D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.165.165.26	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.68.123.157	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
173.222.162.32	unknown	United States	35994	AKAMAI-ASUS	false

Private

IP
192.168.2.1
192.168.2.8
192.168.2.7
192.168.2.4
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1473196
Start date and time:	2024-07-15 07:47:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	a.exe
Detection:	MAL
Classification:	mal76.winEXE@1/0@2/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 192.229.221.95
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
52.165.165.26	b6HXTGQmJN.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
40.68.123.157	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
173.222.162.32	RgZaLjgCto.exe	Get hash	malicious	Tinba	Browse
	JRDpxoBkBJ.exe	Get hash	malicious	NotPetya	Browse
	smartsscreen.exe	Get hash	malicious	Xmrig	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	p2pWin.exe	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	file-sample_100kB.doc	Get hash	malicious	Unknown	Browse	13.107.246.60
	My Info Tech Partner Executed Agreement Docs#186231(Revised).pdf	Get hash	malicious	HTMLPhisher	Browse	20.190.159.75
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	51.139.222.6
	botx.x86.elf	Get hash	malicious	Mirai	Browse	20.36.42.245
	botx.mips.elf	Get hash	malicious	Mirai	Browse	51.152.245.210
	s6ue6dcFAI.exe	Get hash	malicious	Babadeda	Browse	20.96.153.111
	JblYqEneyY.exe	Get hash	malicious	Babadeda	Browse	20.96.153.111
	s6ue6dcFAI.exe	Get hash	malicious	Babadeda	Browse	94.245.104.56
	185.208.158.215-mips-2024-07-14T08_54_05.elf	Get hash	malicious	Unknown	Browse	20.115.182.79
MICROSOFT-CORP-MSN-AS-BLOCKUS	file-sample_100kB.doc	Get hash	malicious	Unknown	Browse	13.107.246.60
	My Info Tech Partner Executed Agreement Docs#186231(Revised).pdf	Get hash	malicious	HTMLPhisher	Browse	20.190.159.75
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	51.139.222.6
	botx.x86.elf	Get hash	malicious	Mirai	Browse	20.36.42.245
	botx.mips.elf	Get hash	malicious	Mirai	Browse	51.152.245.210
	s6ue6dcFAI.exe	Get hash	malicious	Babadeda	Browse	20.96.153.111
	JblYqEneyY.exe	Get hash	malicious	Babadeda	Browse	20.96.153.111
	s6ue6dcFAI.exe	Get hash	malicious	Babadeda	Browse	94.245.104.56
	185.208.158.215-mips-2024-07-14T08_54_05.elf	Get hash	malicious	Unknown	Browse	20.115.182.79
AKAMAI-ASUS	00#U2800.exe	Get hash	malicious	Python Stealer	Browse	23.47.168.24
	My Info Tech Partner Executed Agreement Docs#186231(Revised).pdf	Get hash	malicious	HTMLPhisher	Browse	2.19.244.159
	https://shell-shiny-spectrum.glitch.me/public/CcNfN0.HTM	Get hash	malicious	HTMLPhisher	Browse	23.50.131.157
	https://lnky.ru/rhrwt	Get hash	malicious	Unknown	Browse	2.16.202.113
	botx.x86.elf	Get hash	malicious	Mirai	Browse	23.210.234.238
	botx.mips.elf	Get hash	malicious	Mirai	Browse	104.78.68.129
	https://lnky.ru/qqj9v	Get hash	malicious	Unknown	Browse	2.19.126.133
	http://coffeeroasting.co.th/	Get hash	malicious	Unknown	Browse	23.223.209.21
	http://lnky.ru/82s0t	Get hash	malicious	Unknown	Browse	88.221.169.65
	Setup.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLine	Browse	184.28.90.27

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file-sample_100kB.doc	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	https://abu.usaday.biz/favicon.ico	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	http://khalidhost.loseyourip.com:777/dddd.mp4	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	http://teligeam.cam/	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	http://ipfs.io/ipfs/bafybeidnyrv32bguoxmjyjmacd3ry2ldez34oxvmsn7neqkhso4nh4pcqe/	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	http://arijitarz.github.io/netflix/	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	https://pttgov-gw.top/help/	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	https://yasmeen1211.github.io/Video-Streaming-Platform	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157
	https://bhaiqori.github.io/review-meta-service	Get hash	malicious	Unknown	Browse	52.165.165.26 40.68.123.157

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.884079926004798
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	a.exe
File size:	35'328 bytes
MD5:	19aff0a43f80919a6113020d3ff38300
SHA1:	f0db6e0967c534fa0326c9db009d0f22e0112a6b
SHA256:	de19e0163af15585c305f845b90262aee3c2bdf037f9fc733d3f1b379d00edd0
SHA512:	bbd6b4fdf3aea24aa66b6e17b778596c86260f76b7d0502fe5339dc198d30c4314d18eb8121ec07995ea86d461c9bf0985c436b3c65b0001b357305a1e457e27
SSDEEP:	768:TLlw6CpA/0H9QoiMLD7aBzE/BMR35hUJtwjxI1VFA:TZMgu9QFM7x/BOpCExI7FA
TLSH:	B5F2E175AEA61746CAECDF38DDB97F31503CE1D63A280A3C8CC879D76CA1B47A160584
File Content Preview:	MZl.....................@.......Win32 Program!..$......!.L.!`...GoLink www.GoDevTool.com........PE..L......f..........................................@........................................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6686D5B5 [Thu Jul 4 17:02:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
xor ecx, ecx
jmp 00007F564526EBF4h
jmp 00007F564526EBF7h
call 00007F564526EBEEh
pop eax
add eax, 11h
xor byte ptr [eax], 0000006Ah
inc eax
inc ecx
cmp ecx, 00008757h
jne 00007F564526EBE5h
sub edx, 68h
push 0000006Ah
jmp 00007F568460667Bh
cmp al, 59h
xchg dword ptr [4E4E16E1h], edi
jecxz 00007F564526EBF8h
dec esi
jle 00007F564526EBD5h
push es
dec esi
jc 00007F564526EBD5h
push es
dec esi
jp 00007F564526EB9Fh
dec esi
jbe 00007F564526EC5Dh
push 0000006Ah
push FFFFFFE7h
dec esi
jp 00007F564526EBD9h
dec esi
jle 00007F564526EC2Ch
cmp eax, 4A4E3EE7h
cmp edi, dword ptr [eax]
add byte ptr [ebx+ebp*2], 0000006Ah
push FFFFFFEFh
stosb
push ds
jnl 00007F564526EBD3h
dec esi
jp 00007F564526EBD3h
dec esi
inc edx
das
loopne 00007F564526EC58h
push edx
sub ah, dl
inc eax
xchg eax, ebp
jecxz 00007F564526EC20h
dec esi
jp 00007F564526EB73h
mov edx, 6A6A6BD4h
push FFFFFFE7h
dec esi
jp 00007F564526EBD9h
dec esi
jle 00007F564526EC2Ch
cmp eax, 4A4E3EE7h
cmp edi, dword ptr [eax]
adc byte ptr [ebx+6Bh], 0000006Ah
push FFFFFFE7h
pop esi
sbb ch, bl
xchg eax, esp
push 656B6A6Ah
in eax, dx
je 00007F564526EC5Dh
push 0000006Ah
out 2Eh, eax
dec esi
jp 00007F564526EBD9h
dec esi
jle 00007F564526EC2Ch
cmp eax, 4A4E3EE7h
cmp edi, dword ptr [eax]
cmp byte ptr [edi+6Bh], 0000006Ah
push FFFFFFEFh
stosb
pop ds
jno 00007F564526EBD9h
dec esi
jp 00007F564526EBD9h
dec esi
jle 00007F564526EC2Ch
cmp eax, 4A4E3EE7h
cmp edi, dword ptr [eax]
adc byte ptr [esi+00006A6Ah], 00000000h

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8780	0x8800	c0d261c253ade4e8b44b18a8fb33f126	False	0.9793198529411765	data	7.9026165840806435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2024 07:48:34.737529993 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 15, 2024 07:48:44.346996069 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 15, 2024 07:48:56.932049990 CEST	49672	443	192.168.2.4	173.222.162.32
Jul 15, 2024 07:48:56.932152033 CEST	443	49672	173.222.162.32	192.168.2.4
Jul 15, 2024 07:48:57.495899916 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:57.495944977 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:57.496000051 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:57.500076056 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:57.500097990 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:58.194803953 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:58.194900990 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:58.197336912 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:58.197344065 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:58.197655916 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:58.253057003 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:58.938100100 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:58.980503082 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169495106 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169516087 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169523954 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169564962 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169594049 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:59.169596910 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169612885 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169632912 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169657946 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:59.169712067 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:59.169747114 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.169807911 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:59.169815063 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.170171976 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.170308113 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:59.829463959 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:59.829500914 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:48:59.829523087 CEST	49730	443	192.168.2.4	52.165.165.26
Jul 15, 2024 07:48:59.829529047 CEST	443	49730	52.165.165.26	192.168.2.4
Jul 15, 2024 07:49:01.037134886 CEST	60099	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:01.044955015 CEST	53	60099	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:01.045764923 CEST	60099	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:01.053461075 CEST	53	60099	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:01.565610886 CEST	60099	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:02.059673071 CEST	60099	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:02.065232038 CEST	53	60099	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:02.065340996 CEST	60099	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:15.136529922 CEST	53727	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:15.141520977 CEST	53	53727	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:15.141758919 CEST	53727	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:15.146809101 CEST	53	53727	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:15.659360886 CEST	53727	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:15.724463940 CEST	53727	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:15.729790926 CEST	53	53727	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:15.729877949 CEST	53727	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:49:28.293047905 CEST	59157	53	192.168.2.4	162.159.36.2
Jul 15, 2024 07:49:28.298058033 CEST	53	59157	162.159.36.2	192.168.2.4
Jul 15, 2024 07:49:28.298233986 CEST	59157	53	192.168.2.4	162.159.36.2
Jul 15, 2024 07:49:28.303365946 CEST	53	59157	162.159.36.2	192.168.2.4
Jul 15, 2024 07:49:28.753206015 CEST	59157	53	192.168.2.4	162.159.36.2
Jul 15, 2024 07:49:28.758687019 CEST	53	59157	162.159.36.2	192.168.2.4
Jul 15, 2024 07:49:28.758814096 CEST	59157	53	192.168.2.4	162.159.36.2
Jul 15, 2024 07:49:28.872648954 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:28.872692108 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:28.873020887 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:28.874198914 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:28.874213934 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.655755043 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.655901909 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.661241055 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.661257029 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.661554098 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.671534061 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.712512016 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992098093 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992161989 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992209911 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992505074 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.992521048 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992635965 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.992639065 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992666960 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992705107 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.992772102 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.992779970 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.993046999 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.993230104 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.993324041 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:29.993355989 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:29.993488073 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:30.007904053 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:30.007930994 CEST	443	59159	40.68.123.157	192.168.2.4
Jul 15, 2024 07:49:30.008059025 CEST	59159	443	192.168.2.4	40.68.123.157
Jul 15, 2024 07:49:30.008068085 CEST	443	59159	40.68.123.157	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2024 07:48:40.161655903 CEST	63299	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:48:40.169413090 CEST	53	63299	1.1.1.1	192.168.2.4
Jul 15, 2024 07:48:40.255207062 CEST	55981	53	192.168.2.4	1.1.1.1
Jul 15, 2024 07:48:40.269239902 CEST	53	55981	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:01.029908895 CEST	53	56155	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:03.260839939 CEST	138	138	192.168.2.4	192.168.2.255
Jul 15, 2024 07:49:15.135704994 CEST	53	63221	1.1.1.1	192.168.2.4
Jul 15, 2024 07:49:28.291702986 CEST	53	59773	162.159.36.2	192.168.2.4
Jul 15, 2024 07:49:28.801639080 CEST	53	54094	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 15, 2024 07:48:40.161655903 CEST	192.168.2.4	1.1.1.1	0x47c8	Standard query (0)	themicrosoftnow.com	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:48:40.255207062 CEST	192.168.2.4	1.1.1.1	0x2978	Standard query (0)	themicrosoftnow.com	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:48:58 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BKYog6EU1eMYTXH&MD=Y78V3DYp HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49730	52.165.165.26	443	6516	C:\Users\user\Desktop\a.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:48:59 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ead434d9-ccc4-4b22-bcbb-cc83cf238a79 MS-RequestId: 5124a4f2-a044-4386-87ac-e75258ee859e MS-CV: j90t8wnlI0G7aGqf.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 05:48:58 GMT Connection: close Content-Length: 24490
2024-07-15 05:48:59 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-15 05:48:59 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	59159	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:49:29 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BKYog6EU1eMYTXH&MD=Y78V3DYp HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	59159	40.68.123.157	443	6516	C:\Users\user\Desktop\a.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:49:29 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 07e01441-7e2b-46e1-bcfb-da9facc0085f MS-RequestId: 54d515d3-dff1-4fd8-85aa-3772f8a2ef8b MS-CV: bwBPY7yjj0uCkB83.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 15 Jul 2024 05:49:29 GMT Connection: close Content-Length: 30005
2024-07-15 05:49:29 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-15 05:49:29 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	01:48:39
Start date:	15/07/2024
Path:	C:\Users\user\Desktop\a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\a.exe"
Imagebase:	0x400000
File size:	35'328 bytes
MD5 hash:	19AFF0A43F80919A6113020D3FF38300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	98.9%
Signature Coverage:	3.2%
Total number of Nodes:	439
Total number of Limit Nodes:	30

Executed Functions

Function 0042C51A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,0000022C,00000002,00000000), ref: 0042C5B7

Strings

,B, xrefs: 0042C5B7

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: ,B
API String ID: 2591292051-3761920493
Opcode ID: a25a29e07ff33b856039dfac94da5e17e2259f9090964ab20ed8f51f5caf7cca
Instruction ID: 69c12917d5625f236152d9589f3ea70b79f7e8fda487bdfd99b3498450476a6c
Opcode Fuzzy Hash: a25a29e07ff33b856039dfac94da5e17e2259f9090964ab20ed8f51f5caf7cca
Instruction Fuzzy Hash: 00114671A01228FBDB10EBA5DA48B9EB7B8AF44304F5045DAD505A7280D778EB84CF54

Function 004269AE Relevance: 1.5, APIs: 1, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 00426A09

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: d357a9234166d3ab6c8eeba960308be9b97213f315f5a24bb1d9e6a64a306ddf
Instruction ID: 9b56c69823a120cde8835361d85800256868ba9bf9c6633a63092418a4b41b77
Opcode Fuzzy Hash: d357a9234166d3ab6c8eeba960308be9b97213f315f5a24bb1d9e6a64a306ddf
Instruction Fuzzy Hash: 2711DBB1A00208EFDB00CF99E984B9EBBB4FF44304F5140AAE805AB350D775AA95DB95

Function 0040122B Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00011CB0,00001000,00000040), ref: 00401290

Memory Dump Source

Source File: 00000000.00000002.3510784067.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3510769069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_a.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 02bb93b3727cd303fc7c3931be4f470b6c577474a4ca1623552423a40f144b6c
Instruction ID: ef9a3fa6a4c4783687441f2c87558c614114034e0e86d0a0dfc5117895701c22
Opcode Fuzzy Hash: 02bb93b3727cd303fc7c3931be4f470b6c577474a4ca1623552423a40f144b6c
Instruction Fuzzy Hash: DF01B1322406109FC7249F48CCC1B66B3E8EF49721B0A45AEEE46B77A2C6B5BC518694

Function 0042AB7A Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56097b8d573c60134cd7c5c1e702197eeff8a09875758029f50140bb9fbd7b41
Instruction ID: c2ee3f3054380049c76b824ffff242437c4a46d8cb7cea5eeef48a76fa79559e
Opcode Fuzzy Hash: 56097b8d573c60134cd7c5c1e702197eeff8a09875758029f50140bb9fbd7b41
Instruction Fuzzy Hash: BE5180B1E00218AFDB04DFE4E991BEEB7B5AF48304F548219F515AB380D778A901CB59

Function 0042C5C5 Relevance: 53.1, APIs: 7, Strings: 23, Instructions: 559
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE(?), ref: 0042C6A5
InternetSetOptionW.WININET(00000000,00000049,000FFFFF,00000004), ref: 0042C779
InternetOpenW.WININET(User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.,00000000,00000000,00000000,00000000), ref: 0042C8A0
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0042C8F3
HttpSendRequestW.WININET(?,00000000,00000000,?,?), ref: 0042CC7E
RevertToSelf.KERNELBASE ref: 0042CE1F
InternetCloseHandle.WININET(00000000), ref: 0042CE35

Strings

"0B, xrefs: 0042C9B7
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537., xrefs: 0042C7EC, 0042C80E, 0042C879, 0042C89B, 0042C8BA, 0042CBCA, 0042CC04
F0B, xrefs: 0042CD71
HTTP=HTTP://%s:%d, xrefs: 0042C857
explorer.exe, xrefs: 0042C64B
//B, xrefs: 0042CE1F
POST, xrefs: 0042C9AB
$, xrefs: 0042C727
Host: %s:%dContent-Length: %dAccept: %sProxy-Authorization: Basic %SUser-Agent: %s, xrefs: 0042CC2A
HTTP=HTTP://%s:%d, xrefs: 0042C7CA
/%x%x%x, xrefs: 0042C949
O0B, xrefs: 0042CE35, 0042CEBD, 0042CED3
+0B, xrefs: 0042CCC9
40B, xrefs: 0042C779, 0042C78C
text/html,application/xhtml+xml,application/xml,*/*, xrefs: 0042CC10
=0B, xrefs: 0042CC7E
/?q=%x, xrefs: 0042C91E, 0042C973
Host: %sContent-Length: %dAccept: %sProxy-Authorization: Basic %SUser-Agent: %s, xrefs: 0042CBE7
a0B, xrefs: 0042C7D6, 0042C863, 0042C955, 0042C98E, 0042CBF3, 0042CC36
text/html,application/xhtml+xml,application/xml,*/*, xrefs: 0042CBD6
X0B, xrefs: 0042CC5F
,B, xrefs: 0042C6B8, 0042C6C5
&/B, xrefs: 0042C6A5

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: Internet$CloseConnectHandleHttpImpersonateLoggedOpenOptionRequestRevertSelfSendUser
String ID: "0B$$$&/B$+0B$,B$/%x%x%x$//B$/?q=%x$40B$=0B$F0B$HTTP=HTTP://%s:%d$HTTP=HTTP://%s:%d$Host: %sContent-Length: %dAccept: %sProxy-Authorization: Basic %SUser-Agent: %s$Host: %s:%dContent-Length: %dAccept: %sProxy-Authorization: Basic %SUser-Agent: %s$O0B$POST$User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.$X0B$a0B$explorer.exe$text/html,application/xhtml+xml,application/xml,*/*$text/html,application/xhtml+xml,application/xml,*/*
API String ID: 442711457-2791847347
Opcode ID: 098bd4b58bc5e65f2bd99e56462270234b32664b925ffc9d425ba992b2768650
Instruction ID: 571e0ac3c45c6e96eb4045ade905452f511fd989386608dde7307241ba99af2a
Opcode Fuzzy Hash: 098bd4b58bc5e65f2bd99e56462270234b32664b925ffc9d425ba992b2768650
Instruction Fuzzy Hash: 75426370A00228EBDB24DF54DC85BEAB3B4FF48704F5481EAE50966280DB759BC5CF99

Function 0042DB8E Relevance: 35.1, APIs: 2, Strings: 18, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0042DCC2
new[].LIBCMTD ref: 0042DD0E

Strings

\, xrefs: 0042DC06
P, xrefs: 0042DBE2
~, xrefs: 0042DC0F
t, xrefs: 0042DC33
%, xrefs: 0042DBEB
m, xrefs: 0042DC3C
%, xrefs: 0042DBF4
\, xrefs: 0042DBFD
%, xrefs: 0042DC18
., xrefs: 0042DC2A
-B, xrefs: 0042DCC2
a0B, xrefs: 0042DC6C
s, xrefs: 0042DC21
p, xrefs: 0042DC45
%TM%\~stp, xrefs: 0042DC5E, 0042DC64
-.B, xrefs: 0042DC88
y-B, xrefs: 0042DBAF
,B, xrefs: 0042DD51

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: CreateFilenew[]
String ID: %$%$%$%TM%\~stp$,B$-.B$.$P$\$\$a0B$m$p$s$t$y-B$~$-B
API String ID: 2677580319-1007343944
Opcode ID: 1052bf6fb657033bd6e2e80ccc2485ef01e5a8547e03ede4d935053bbf40ea00
Instruction ID: 991b76666c0592443248787b340a2f2211c756335522731b30e180f6356b0313
Opcode Fuzzy Hash: 1052bf6fb657033bd6e2e80ccc2485ef01e5a8547e03ede4d935053bbf40ea00
Instruction Fuzzy Hash: 0F713970A1022C9BCB20DF50DC88BDAB7B5BF98304F1042D9D5096B290DBB65BD9CF59

Function 00427743 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

new[].LIBCMTD ref: 00427786

Strings

.B, xrefs: 00427B20
b,B, xrefs: 00427A37
c.B, xrefs: 00427B7B
y-B, xrefs: 004279F4
themicrosoftnow.com, xrefs: 00427B3C
%ls, xrefs: 004277E3
-B, xrefs: 00427753, 004278FC
g-B, xrefs: 0042796B

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: new[]
String ID: -B$%ls$b,B$c.B$g-B$themicrosoftnow.com$y-B$.B
API String ID: 4059295235-2915703440
Opcode ID: bac67506c4bde1b7bed6b2cbd1d409884a53bcff170b6181209bdddc640cfa4f
Instruction ID: 830da3df04be107f8ec3ff06f81f01b6a6b533eee721bf3151cb76c3187da28a
Opcode Fuzzy Hash: bac67506c4bde1b7bed6b2cbd1d409884a53bcff170b6181209bdddc640cfa4f
Instruction Fuzzy Hash: AAC1A8B1E002289BDB24DF90DC45BDDB7B5BF48304F4045EAE509A7281DB74AB85CF69

Function 0042D43E Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 370
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

new[].LIBCMTD ref: 0042D4A0
new[].LIBCMTD ref: 0042D82A
Sleep.KERNELBASE(00004E20), ref: 0042D9BF

Strings

themicrosoftnow.com, xrefs: 0042D8AE, 0042D8DB, 0042D8F2
themicrosoftnow.com, xrefs: 0042D916, 0042D92E
-B, xrefs: 0042D67B
g-B, xrefs: 0042D72B, 0042D9BF

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: new[]$Sleep
String ID: -B$g-B$themicrosoftnow.com$themicrosoftnow.com
API String ID: 344610696-3605936220
Opcode ID: c654ab827db24afe279abf6dc6cdb4f1eb550ff65189d50c1dcdac7fa483c925
Instruction ID: 7156f01f5ff38cc0c9668f9fe3e0901fc0f9b56cce36bf679595df8f6e05e353
Opcode Fuzzy Hash: c654ab827db24afe279abf6dc6cdb4f1eb550ff65189d50c1dcdac7fa483c925
Instruction Fuzzy Hash: DC025C70F00228EBDB25DF50ED59BAEB3B4BB44305F9081AAE50967290D7B85F85CF48

Function 0042F08F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8/B, xrefs: 0042F25E
L-B, xrefs: 0042F0B8
b,B, xrefs: 0042F273
A/B, xrefs: 0042F1A4, 0042F21D

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID: 8/B$A/B$L-B$b,B
API String ID: 0-1919537502
Opcode ID: 11119b0ee33718ea5929a1a26b0d1346d0b97534b8fce023acc49c6cb05edbd1
Instruction ID: aef9ffe74e54d2a4df4160d35cbab9a4d367340717c3d44d66066497567aa269
Opcode Fuzzy Hash: 11119b0ee33718ea5929a1a26b0d1346d0b97534b8fce023acc49c6cb05edbd1
Instruction Fuzzy Hash: 49518DB1A01128EBDB20DF94ED58BDEB7B4FB48314F9041E9E109A7280D7799E84CF59

Function 00423D97 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 498
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00423FE9

Strings

socket() == SOCKET_ERROR, xrefs: 00424290
w/B, xrefs: 00423EE4, 004242B1
b,B, xrefs: 00423DEE
socket() == SOCKET_ERROR, xrefs: 00424004
socket() == SOCKET_ERROR, xrefs: 00423EB7

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: socket
String ID: b,B$socket() == SOCKET_ERROR$socket() == SOCKET_ERROR$socket() == SOCKET_ERROR$w/B
API String ID: 98920635-1736774646
Opcode ID: 168176c209fe0eb78d6f0d4e87bed2b1fdf991733941f422b53f8dc784dae6a9
Instruction ID: ce6d19fd95ae200415258df1787290cf5512b70acc554df741d9f25c621dad86
Opcode Fuzzy Hash: 168176c209fe0eb78d6f0d4e87bed2b1fdf991733941f422b53f8dc784dae6a9
Instruction Fuzzy Hash: 04225C74B00214EFDB18DF94E885BAEB3B1FF88704F50815AF915AB391CBB5A941CB58

Function 00424CED Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(?), ref: 00424D24
FindCloseChangeNotification.KERNELBASE(?), ref: 00424D73
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00424E75

Strings

O0B, xrefs: 00424F06, 00424F18
,B, xrefs: 00424D66, 00424DA4, 00424DEC, 00424E3B
,B, xrefs: 00424D73, 00424DB1, 00424DF9, 00424E75, 00424EA9, 00424EDD

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: ChangeCloseFindNotification$closesocket
String ID: ,B$O0B$,B
API String ID: 2622216524-3871590362
Opcode ID: 20a43316604b007258de5ce02d6e24aa7055b1077c3a81a3bef5e24309dd8fc3
Instruction ID: acf167f8ca5a5c88db1091ec2d81350130a4c2a773b5e2936053c9faeea1e764
Opcode Fuzzy Hash: 20a43316604b007258de5ce02d6e24aa7055b1077c3a81a3bef5e24309dd8fc3
Instruction Fuzzy Hash: 6181C878B00204EFDB14DF94D598AAEB772FB88314FA08699E9215B391C775EE42CF44

Function 0042E10D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a0B, xrefs: 0042E242, 0042E329
%d.%d, xrefs: 0042E236
__%s__, xrefs: 0042E31D
y-B, xrefs: 0042E2B7
,B, xrefs: 0042E35C

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID: %d.%d$,B$__%s__$a0B$y-B
API String ID: 0-2739053071
Opcode ID: db83e78ae8d46cc34a783128afac3384235eed2e492da2eb3bda5340d6cada1f
Instruction ID: 142e017194dedddf65a412fa52f45dc8f1fdde68b45ba13dd053c0f04b2b40ab
Opcode Fuzzy Hash: db83e78ae8d46cc34a783128afac3384235eed2e492da2eb3bda5340d6cada1f
Instruction Fuzzy Hash: 73518271A00628ABDB34DB25FD54BEB73B4BB04346F8005E9E509E6290E7B89BC5CF54

Function 0042DEC8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(%C:\Users\user\AppData\Local\Temp%\\~2DC0693B73E4,80000000,00000003,00000000,00000004,00000080,00000000), ref: 0042DF03

Strings

-B, xrefs: 0042DF03
%C:\Users\user\AppData\Local\Temp%\\~2DC0693B73E4, xrefs: 0042DEFE
mt-D15F, xrefs: 0042DF75
,B, xrefs: 0042DFC2
Default, xrefs: 0042DF5C

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: CreateFile
String ID: %C:\Users\user\AppData\Local\Temp%\\~2DC0693B73E4$,B$Default$mt-D15F$-B
API String ID: 823142352-1466088817
Opcode ID: 164795a9d55e76830387114e21bbbdc4d1453d015a1b508ba270e00ae0cdb562
Instruction ID: 0b7dfde61ccee6f82f2cf28c137301680376fb3a47d2147c09b1ea2caddb7cfc
Opcode Fuzzy Hash: 164795a9d55e76830387114e21bbbdc4d1453d015a1b508ba270e00ae0cdb562
Instruction Fuzzy Hash: 0D21C871B00319BFE724C760ED12F967778AB48700F8041BAF609A62D0E6F41A55CF6D

Function 0042EB52 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNELBASE(00000000,localhost), ref: 0042EBEE

Strings

localhost, xrefs: 0042EBE5
127.0.0.1, xrefs: 0042EBF8
%ls, xrefs: 0042EBA6
T&B, xrefs: 0042EBB4, 0042EBBA
y>B, xrefs: 0042EC17, 0042EC1A

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: lstrcmpi
String ID: %ls$127.0.0.1$T&B$localhost$y>B
API String ID: 1586166983-4016028382
Opcode ID: cbef34ec9c3e19057950f6f39b01c702ea79eca5f07ab71f98a5eb68c181e662
Instruction ID: d7b1ef147be25e92c52abea6ce29516002638ea1317b2c4ef689ce038938c50b
Opcode Fuzzy Hash: cbef34ec9c3e19057950f6f39b01c702ea79eca5f07ab71f98a5eb68c181e662
Instruction Fuzzy Hash: 07410671B00228FBCB14CF93E841BEE7774AB44304F90855AF5099B380D7BD9A85DB89

Function 00426E8E Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(000000FF), ref: 00426ED4
FindCloseChangeNotification.KERNELBASE(?), ref: 00426F7B

Strings

p}B, xrefs: 00426E9A
,B, xrefs: 00426F55
,B, xrefs: 00426F69, 00426F7B

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: ChangeCloseFindNotificationclosesocket
String ID: ,B$p}B$,B
API String ID: 2503150427-2782076901
Opcode ID: dfbe1779b629ae80509e6619f7b8bc2ed072946cbbbbb5a54cb2707d1d3b00df
Instruction ID: f72ae2fcd957f3f700c509849401277bad0857df8f87ef0a6bba422df45e9840
Opcode Fuzzy Hash: dfbe1779b629ae80509e6619f7b8bc2ed072946cbbbbb5a54cb2707d1d3b00df
Instruction Fuzzy Hash: EBB10974E04219DFCB14CF94D594AAEB7B2FF48304F648159E402AB345C779AE8ACF84

Function 0042A8E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

g-B, xrefs: 0042AA0D

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID: g-B
API String ID: 0-169967332
Opcode ID: c5ba44f83ce66ab46017740f337cd37b4eb32b68b3d0582db23e11c49cc90e26
Instruction ID: 8ef0a3fe48af72f743d8bf1d517f7d931df392a9c98f732dbf396dc561ea0254
Opcode Fuzzy Hash: c5ba44f83ce66ab46017740f337cd37b4eb32b68b3d0582db23e11c49cc90e26
Instruction Fuzzy Hash: 7F312CB4A042289FDB64CF10D985BE9B7B1AB59304F5081D9DA8967340CBB46EC1CF55

Function 0042686F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(msvcrt40.dll,malloc,00000000,?,004267BD,0042DD13,00000000,?,0042DD13,00000000), ref: 00426886
malloc.MSVCRT ref: 004268AC

Strings

malloc, xrefs: 0042687C
msvcrt40.dll, xrefs: 00426881

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: LibraryLoadmalloc
String ID: malloc$msvcrt40.dll
API String ID: 3900084889-1711729993
Opcode ID: 0319db4cc8215f42cee7a9cdd7c62899f18708c99e0255e2dfc45ec1088b8bd3
Instruction ID: eda8dff7fd1f7566b85a98bfb0b8888bb5446ece5a627b6efdb2a50cb963d8f2
Opcode Fuzzy Hash: 0319db4cc8215f42cee7a9cdd7c62899f18708c99e0255e2dfc45ec1088b8bd3
Instruction Fuzzy Hash: 39E039B0A01208EFCB14DFA4E90CB493BB8FB04706F800275E40896760E37A9900CF59

Function 00426D33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

new[].LIBCMTD ref: 00426D74

Strings

p}B, xrefs: 00426DD7
-B, xrefs: 00426E0E, 00426E1D, 00426E28

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: new[]
String ID: -B$p}B
API String ID: 4059295235-475583553
Opcode ID: dc96c2aa3a0f36037b2f58a43633fbcd29684ee778919fa16f42d0751cf8686a
Instruction ID: 343f3903090dff3767ad0c36402a06fa5e60a3b0a33aa4f0d5d809e581a30c57
Opcode Fuzzy Hash: dc96c2aa3a0f36037b2f58a43633fbcd29684ee778919fa16f42d0751cf8686a
Instruction Fuzzy Hash: 594149B4E00209EBDB14DF94D945BAEB7B1FF84308F604169E805BB381C775AA05CB59

Function 0042DE5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000002), ref: 0042DE6E

Strings

L-B, xrefs: 0042DE87

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: ErrorMode
String ID: L-B
API String ID: 2340568224-1043978213
Opcode ID: 879c82fc0f826749d4e3b8dda26821eccdabaa1b086cd992feefd46606567322
Instruction ID: c235ed1f6d9eb9f38717dd3dcdda1fab107d9af44e103dbcebc7e3c0a48cc816
Opcode Fuzzy Hash: 879c82fc0f826749d4e3b8dda26821eccdabaa1b086cd992feefd46606567322
Instruction Fuzzy Hash: 8BF03730B8473476E6703BB3BE1BB2A39546F11769FE2073BB615D81E1DAE8E402451E

Function 0042DB1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_0000D43E,00000000,00000000,00000000), ref: 0042DB68
Sleep.KERNELBASE(00002710), ref: 0042DB78

Strings

g-B, xrefs: 0042DB78

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: CreateSleepThread
String ID: g-B
API String ID: 4202482776-169967332
Opcode ID: b92e1020845c0a03d3cc9b76d9d3706cc94814a0fc831af23720397e92084021
Instruction ID: d44f9ea5ce93b4d753edb8f0dee0e0eab8d36b42e291371f624dad1ef61280f9
Opcode Fuzzy Hash: b92e1020845c0a03d3cc9b76d9d3706cc94814a0fc831af23720397e92084021
Instruction Fuzzy Hash: AEF08230B84311B6F7345B64BE3AF213A54BB00751FE90236E511D52E0D7F8B882D56D

Function 00426911 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(?), ref: 0042694E

Strings

CoInitialize, xrefs: 00426925
ole32.dll, xrefs: 0042692A

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: Initialize
String ID: CoInitialize$ole32.dll
API String ID: 2538663250-3514546051
Opcode ID: 3b3a8a8ec527f8202790480949d3ea971066ef9487cc2c497d06639b850785cb
Instruction ID: f853cf3c63661b252875a72cdaa1252f8124fd0677ee044f034920cb1dd948e0
Opcode Fuzzy Hash: 3b3a8a8ec527f8202790480949d3ea971066ef9487cc2c497d06639b850785cb
Instruction Fuzzy Hash: 08E030B4A4424CEFCB10DFA4ED5C6497BA4EB14711F500275E505A73A0DAB58980CF5D

Function 0042CEFB Relevance: 1.5, APIs: 1, Instructions: 22threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_0000AA1E,0042D4EB,00000000,00000000,00A328E0,?,0042D4EB), ref: 0042CF25

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 02d21ec9b3d195173608e1f7d1dea036576f41c34c4baa67b6aa984700f46e8f
Instruction ID: c770470f6e87ad68edbed956179998bc5f8d367b40c8d2186466fde2b23f7356
Opcode Fuzzy Hash: 02d21ec9b3d195173608e1f7d1dea036576f41c34c4baa67b6aa984700f46e8f
Instruction Fuzzy Hash: 98E01A30B54208FBEB64CB85EE86F6DB3A5EB04711FA04199E904672C0C3F56E50DF89

Function 00424CA0 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00004CD3,?,00000000,00000000,?,00427BCA), ref: 00424CBA

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c7a362e91c9f10ef4a4302b9b9e86772f4254624b1491cd913b04e5e5d2c143d
Instruction ID: e50367e29c897fe21d3ba8c2d2d7c5f39f2da6b8c949dc94f0a1673281dc952f
Opcode Fuzzy Hash: c7a362e91c9f10ef4a4302b9b9e86772f4254624b1491cd913b04e5e5d2c143d
Instruction Fuzzy Hash: 2BE08C34B44308BBE720ABA4EE0AF6DBB38D740711F600299FA006A2C0D5B02A008754

Non-executed Functions

Function 00429795 Relevance: 3.2, Strings: 2, Instructions: 672COMMON

Download Yara Rule

Strings

lB, xrefs: 004298DF, 00429A2F, 00429E37, 00429CB1, 00429D0A, 00429AEB, 004297F1
, xrefs: 00429B05

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID: lB$
API String ID: 0-4141540311
Opcode ID: 7be23e029b6a057be302f23f3547a228f767dc0188edecc5c269d7f1e591a0fb
Instruction ID: a36dff491b469ca1d200b9b5b1e80b40700a0114c43175bf21f5705002521ea8
Opcode Fuzzy Hash: 7be23e029b6a057be302f23f3547a228f767dc0188edecc5c269d7f1e591a0fb
Instruction Fuzzy Hash: 3B62D570E0415A9FCF08CFA8D5906AEBBB2FF89304F64819AD416AB344C734AE41DF59

Function 004291A9 Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

, xrefs: 00429443

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6dc3c9f935801a1067d420f4ef294c66193aa01eb5d4c0c9e38ddd21e3b2c127
Instruction ID: 196917cf896b1c9c03ba77504841560123c0583d9e61ee6b1bd21de4c39ee427
Opcode Fuzzy Hash: 6dc3c9f935801a1067d420f4ef294c66193aa01eb5d4c0c9e38ddd21e3b2c127
Instruction Fuzzy Hash: F332E270E0425ADFCF08CFA9C590AAEBBB2FF89308F248199C415AB355D735AA41CF55

Function 00428C16 Relevance: 1.7, Strings: 1, Instructions: 480COMMON

Download Yara Rule

Strings

!, xrefs: 00429080

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: c594a39ba769eaebc3d14f25905bdf6b1f0d61d9e20c11e4f28ee581b975dcc6
Instruction ID: cd39798d70cbea60c225ed7f8aac92c619a6e54baedd69a12b64d095667e0f50
Opcode Fuzzy Hash: c594a39ba769eaebc3d14f25905bdf6b1f0d61d9e20c11e4f28ee581b975dcc6
Instruction Fuzzy Hash: E9221370E0515A8FCF08CFA8D491AEEBBB2FF88304F54819AD516AB345CA356945CF98

Function 0042E3D1 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

(-B, xrefs: 0042E3E9, 0042E3F8, 0042E51E, 0042E5FC, 0042E60A

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID: (-B
API String ID: 0-1911010329
Opcode ID: d30d8d46ebfb65795aae662135b0366a22e3a851edac379f41a588ea07b652eb
Instruction ID: 17f4a7ad7ccc6dc8f713271ae7b1290b651ee5c5716ea5fb8b21a57f065f45fd
Opcode Fuzzy Hash: d30d8d46ebfb65795aae662135b0366a22e3a851edac379f41a588ea07b652eb
Instruction Fuzzy Hash: AB918630F00209DBDB19DFA9E990AEEB7F6AF88300F94856AE109E7254D775A405CB19

Function 00428672 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dca5c6d8e1c836118329868621bf8c42d71d0f7f1b1fd252eeaf5f609fe4f97
Instruction ID: 0012e34aa35bc441a3ea605dd6de1e6fbf10e7e54fddec8d4042b6ec77eba30d
Opcode Fuzzy Hash: 9dca5c6d8e1c836118329868621bf8c42d71d0f7f1b1fd252eeaf5f609fe4f97
Instruction Fuzzy Hash: A9A15074E05148EFCB08CF99D590AADFBF2EF88304F68C1A9E459AB345D630AB51DB44

Function 00426CD0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e57b8851ffe89438fa0e73e02014deb667be70f78a5a4fa8d0a9f3a8eecf3a
Instruction ID: 9500fee6dfcd6cf8dedc22e432cf6e577843300e0a1d16dfc99902fa2d946a6f
Opcode Fuzzy Hash: 45e57b8851ffe89438fa0e73e02014deb667be70f78a5a4fa8d0a9f3a8eecf3a
Instruction Fuzzy Hash: 76016D71E0410DAFCB04CFE8E9858EEFBF9EF84300F904169E605A3204D770AA41CB94

Function 00426963 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c21f6a4ae8f7ad610cf52c7e21ed6c623dafbd6e01ec2d9e3a55b03f623fc79
Instruction ID: f7159268554ff1ee6931761459848057c2d85860203c2169315a977488a0eb5b
Opcode Fuzzy Hash: 9c21f6a4ae8f7ad610cf52c7e21ed6c623dafbd6e01ec2d9e3a55b03f623fc79
Instruction Fuzzy Hash: 31E0B639A41508EFC704DF8DE584C99FBF8EB89661F1081AAED0897321D631AE01CA90

Function 00426990 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc2d6a1ca7868316b7ac34a16a6a7e6eff49c6df148cd221538d4604c62c810
Instruction ID: c75bc0d95a5d769c2b171253ae892be3c9cd759e5c0eae4e8ea2322dc9cb5d06
Opcode Fuzzy Hash: ebc2d6a1ca7868316b7ac34a16a6a7e6eff49c6df148cd221538d4604c62c810
Instruction Fuzzy Hash: 5ED0923A3516049FC200CB4EE884D82F7ECEB4A6B5B0140A2FA09CB731C221EC00CAA0

Function 0042B493 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

new[].LIBCMTD ref: 0042B61B
new[].LIBCMTD ref: 0042B6AD

Strings

a0B, xrefs: 0042B5DA
%d.%d.%d.%d, xrefs: 0042B5D0

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: new[]
String ID: %d.%d.%d.%d$a0B
API String ID: 4059295235-2553569249
Opcode ID: f428e8619c53f39551709f2064ac597ea08d9c1761da880d86c473f28e7568da
Instruction ID: d1535ad254c69f98afe28aa0cead915e61f70dd6ce2851420a83163626738ebb
Opcode Fuzzy Hash: f428e8619c53f39551709f2064ac597ea08d9c1761da880d86c473f28e7568da
Instruction Fuzzy Hash: 7281EE74E00119AFDB04DF98E881AAEB7B2FF88304F548169E409AB352D735E981CF95

Function 004271DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

p-B, xrefs: 004272AD
-B, xrefs: 004271F4, 00427243, 0042729C

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID:
String ID: -B$p-B
API String ID: 0-2799929621
Opcode ID: 00fcdd2b78ce5064c1563fbc5c57d3039ebf1fe6e833a0e25781b3b9659846d9
Instruction ID: d37b824705a8fcd80cf93a41cb945e976d0a0e92fc4b1a058a50f0e6f9ef0b9d
Opcode Fuzzy Hash: 00fcdd2b78ce5064c1563fbc5c57d3039ebf1fe6e833a0e25781b3b9659846d9
Instruction Fuzzy Hash: 1A514E74A04219DFDB04DF94D941BEEB7B1FF88304F50826AE905AB381C779A942CF69

Function 0042D238 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new[].LIBCMTD ref: 0042D293

Strings

-B, xrefs: 0042D26C
,B, xrefs: 0042D314

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: new[]
String ID: ,B$-B
API String ID: 4059295235-515478226
Opcode ID: 40e3f99ec40ab5c04edae32be12cafa28d9a1e35dee26e872ff19e1442f675c5
Instruction ID: bd02203c5cec86f3448fe7a40e01b1becc62533f43075a8cd244bd4441c6c91a
Opcode Fuzzy Hash: 40e3f99ec40ab5c04edae32be12cafa28d9a1e35dee26e872ff19e1442f675c5
Instruction Fuzzy Hash: DD314AB0E00219EBDB14DFD4DC85BAEB7B5FB48304F50816AE505B7280D7789A01CBA9

Function 004267CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004267FF

Strings

free, xrefs: 004267D6
msvcrt40.dll, xrefs: 004267DB

Memory Dump Source

Source File: 00000000.00000002.3510815918.0000000000420000.00000040.00001000.00020000.00000000.sdmp, Offset: 00420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_a.jbxd

Similarity

API ID: ??3@
String ID: free$msvcrt40.dll
API String ID: 613200358-1251705061
Opcode ID: 355d5b640a3becf907ca759e260f6a992d26de45837f7b197c5151839e643df0
Instruction ID: e6ccd68f8a03bfa0a6dfa5731438fbd1865617fae711cc7e17ef60b402a3512f
Opcode Fuzzy Hash: 355d5b640a3becf907ca759e260f6a992d26de45837f7b197c5151839e643df0
Instruction Fuzzy Hash: 11E08C70600214ABCB206FA0FD5CB5A3A78EB0070AFA01131E109822B0D6F954C0CB6C

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: a.exePID: 6516, Parent PID: 2580

General

Windows Analysis Report
a.exe

Function 0042C5C5 Relevance: 53.1, APIs: 7, Strings: 23, Instructions: 559
networkCOMMON

Function 0042DB8E Relevance: 35.1, APIs: 2, Strings: 18, Instructions: 144
fileCOMMON

Function 00427743 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 291
COMMON

Function 0042D43E Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 370
sleepCOMMON

Function 0042F08F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Function 00423D97 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 498
networkCOMMON

Function 00424CED Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 181
COMMON

Function 0042E10D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 146
COMMON

Function 0042DEC8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 68
fileCOMMON

Function 0042EB52 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113
stringCOMMON

Function 00426E8E Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 242
COMMON

Function 0042A8E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
COMMON

Function 0042686F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryCOMMONLIBRARYCODE

Function 00426D33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94
COMMON