Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545751
MD5:	d51eb63974474a6e7547c8f3ee8f5c93
SHA1:	858252c9d48b5849176b19dc464af8a3ce9d6568
SHA256:	cbb2935e499f3c88e862bdd46f5710774b232aa9ba85cc30006236a6f4503db2
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Entry point lies outside standard sections

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3556 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D51EB63974474A6E7547C8F3EE8F5C93)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe, 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmp

String found in binary or memory: http://193.169.105.15:3000/download/seyhhdBuild.exeC:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A14860	0_2_00007FF6D1A14860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A12080	0_2_00007FF6D1A12080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A13320	0_2_00007FF6D1A13320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1BED2F1	0_2_00007FF6D1BED2F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A151A0	0_2_00007FF6D1A151A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A1435B	0_2_00007FF6D1A1435B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A12340	0_2_00007FF6D1A12340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A11340	0_2_00007FF6D1A11340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A135C0	0_2_00007FF6D1A135C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A2504C	0_2_00007FF6D1A2504C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A18880	0_2_00007FF6D1A18880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A14829	0_2_00007FF6D1A14829

Source: file.exe, 00000000.00000003.2042527988.000001A3BB962000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs file.exe
Source: file.exe, 00000000.00000002.2042835645.000001A3BB963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs file.exe

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 3653120 > 1048576

Source: file.exe

Static PE information: Raw size of .abx is bigger than: 0x100000 < 0x379600

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .abx

Source: file.exe	Static PE information: section name: ._/b
Source: file.exe	Static PE information: section name: .DIl
Source: file.exe	Static PE information: section name: .abx

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A19936 push rsi; iretd	0_2_00007FF6D1A19937
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A23BD7 push rax; ret	0_2_00007FF6D1A23BD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A22F10 push rdi; retf	0_2_00007FF6D1A22F11
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6D1A228B9 push rbx; iretd	0_2_00007FF6D1A228C1

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 3556 base: 7FF8C8A50008 value: E9 EB D9 E9 FF			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 3556 base: 7FF8C88ED9F0 value: E9 20 26 16 00			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened / queried: HGFS			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: VBoxMiniRdrDN			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6D1F53225 rdtsc

0_2_00007FF6D1F53225

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6D1F53225 rdtsc

0_2_00007FF6D1F53225

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\file.exe	NtMapViewOfSection: Direct from: 0x7FF6D1CBD61A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Indirect: 0x7FF6D1C17FD4	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1ED7FE6	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1C71678	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1C66A48	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1F0A270	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1EDF15C	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1CCBF20	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1EF227F	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1F114E7	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1C553C2	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D1C3D3FA	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	NtUnmapViewOfSection: Direct from: 0x7FF6D1C6CE80	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	1 Credential API Hooking	2 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://193.169.105.15:3000/download/seyhhdBuild.exeC:	file.exe, 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545751
Start date and time:	2024-10-30 23:04:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target file.exe, PID 3556 because it is empty
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.965120976822778
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	3'653'120 bytes
MD5:	d51eb63974474a6e7547c8f3ee8f5c93
SHA1:	858252c9d48b5849176b19dc464af8a3ce9d6568
SHA256:	cbb2935e499f3c88e862bdd46f5710774b232aa9ba85cc30006236a6f4503db2
SHA512:	89b7538c3e074be0a4872768b2a36527af06f47137010e1bb8bf8263cb6d1ba3c5158666b79779589db50eb97cea765aaf49953fa918630e12c0c037c4704205
SSDEEP:	49152:gOWEd7uyb66vtNOeRohANG6POCJ3xBaInIl3dOGKpW8tchWqVAMbv+:LWEJhbBRovCJ3xB1nhWdhWqVxq
TLSH:	06F523F928C62DF9C057F3B8845D666E70FE7FE286204949679A5E024F1360DAC33E85
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....."g.........."....(.....V.......f&........@..............................X...........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140266684
Entrypoint Section:	.abx
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6722AC04 [Wed Oct 30 21:58:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	47231b93d5639b1098929652588829ab

Entrypoint Preview

Instruction
call 00007FF650AAAC0Fh
scasd
push 97282716h
jmp far 8A82h : 8CE5CEA9h
in eax, dx
mov byte ptr [edx+24h], dl
call 00007FF659FFC5D3h
jc 00007FF6507F3A12h
sahf
out 84h, al
scasb
mov byte ptr [E4966814h], al
cmp cl, byte ptr [esi+6Dh]
pushad
test al, DAh
pop edx
inc ecx
sar ah, FFFFFFBAh
salc
mov dl, al
in al, dx
stosb
cmpsb
jo 00007FF6507F3A2Fh
inc edi
inc al
lds edx, fword ptr [AF0F4E54h]
or al, D8h
dec eax
out dx, eax
pop esp
iretd
push E245C038h
sahf
jl 00007FF6507F39CFh
push ebp
xchg eax, ebp
cmp al, 18h
cmpsd
retf
cmp byte ptr [eax+10h], bh
adc byte ptr [ecx+5C4E92A5h], dh
pop ebp
cmc
jne 00007FF6507F39B7h
xor byte ptr [edi-3Dh], ch
cwde
sub byte ptr [ecx], bl
mov byte ptr [ecx], bh
or eax, B73CC65Ah
rol dword ptr [eax], cl
jnbe 00007FF6507F3A2Ch
test dword ptr [edx-628EF475h], eax
in eax, dx
loop 00007FF6507F39C1h
jnl 00007FF6507F3A9Bh
fbld [ebx-423CB8C8h]
pop es
sbb esp, dword ptr [edi+01h]
leave
mov ebp, 09031F6Ah
movsb
fistp dword ptr [ebx+27h]
mov seg?, bp
test dword ptr [ebx-0C4A76D8h], eax
cmp dword ptr [edi], 75h
pop ebx
sbb eax, 84D56B69h
ret
retf
aas
jbe 00007FF6507F3A9Fh
pop ebp
rcr dword ptr [edi], FFFFFFF1h
fadd st(7), st(0)
into
xor byte ptr [edi-65h], 0000005Bh
imul esi, dword ptr [edx-719A760Ah], DEh
push ss
salc
stc
dec esp
and byte ptr [edx+13EB8A53h], dl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x509a28	0x154	.abx
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58d000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x587390	0x3180	.abx
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58b000	0x1554	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x587250	0x140	.abx
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x210000	0x128	.DIl
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x928b	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x3d3a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x9a0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x10000	0x810	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
._/b	0x11000	0x1feba3	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.DIl	0x210000	0xae8	0xc00	2659d3cfa06793ab860b63704f014c99	False	0.040690104166666664	data	0.25921036383107215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.abx	0x211000	0x379510	0x379600	15eb5379914b406dd4e448264806a933	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x58b000	0x1554	0x1600	6a798236bc0f921463da0b0870821ade	False	0.19300426136363635	data	5.450936073725384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x58d000	0x1e0	0x200	803520c50dfca74720009cda2e9a72ce	False	0.537109375	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x58d058	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	LocalFree
ADVAPI32.dll	RegSetKeySecurity
SHELL32.dll	ShellExecuteExW
MSVCP140.dll	??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
urlmon.dll	URLDownloadToFileW
d3d9.dll	Direct3DCreate9
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__current_exception_context
api-ms-win-crt-stdio-l1-1-0.dll	ungetc
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file
api-ms-win-crt-runtime-l1-1-0.dll	_exit
api-ms-win-crt-heap-l1-1-0.dll	_callnewh
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: file.exePID: 3556, Parent PID: 1028

General

Target ID:	0
Start time:	18:04:56
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff6d1a10000
File size:	3'653'120 bytes
MD5 hash:	D51EB63974474A6E7547C8F3EE8F5C93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 3556, Parent PID: 1028COMMON

Executed Functions

Function 00007FF6D1A14860 Relevance: 26.6, Strings: 21, Instructions: 382COMMON

Download Yara Rule

Strings

Q, xrefs: 00007FF6D1A1496A
T, xrefs: 00007FF6D1A1493E
P, xrefs: 00007FF6D1A14907
N, xrefs: 00007FF6D1A149A1
Q, xrefs: 00007FF6D1A1495F
N, xrefs: 00007FF6D1A148FC
[, xrefs: 00007FF6D1A14954
>, xrefs: 00007FF6D1A14F3D
>, xrefs: 00007FF6D1A14F7D
X, xrefs: 00007FF6D1A14928
P, xrefs: 00007FF6D1A1491D
O, xrefs: 00007FF6D1A149E3
Q, xrefs: 00007FF6D1A14F63
P, xrefs: 00007FF6D1A14949
_, xrefs: 00007FF6D1A14FA3
b, xrefs: 00007FF6D1A15021
a, xrefs: 00007FF6D1A148DB
b, xrefs: 00007FF6D1A14F22
P, xrefs: 00007FF6D1A14933
>, xrefs: 00007FF6D1A15036
R, xrefs: 00007FF6D1A14912

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID: >$>$>$N$N$O$P$P$P$P$Q$Q$Q$R$T$X$[$_$a$b$b
API String ID: 0-932737158
Opcode ID: fe668420eea82e644ebb27b1297be97dba6d4c938e4113c23229002d66ef3a41
Instruction ID: f132dff91810b10319f52eec7c6cf1245b28fa14ca8b6def3c041d7da47f0725
Opcode Fuzzy Hash: fe668420eea82e644ebb27b1297be97dba6d4c938e4113c23229002d66ef3a41
Instruction Fuzzy Hash: E422282651C6D686E334AF21A4003FFB2B0FF9D705F406127E6C887A64EBBD9194DB19

Function 00007FF6D1A1435B Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 310COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D1A14852

Strings

Q, xrefs: 00007FF6D1A1496A
T, xrefs: 00007FF6D1A1493E
P, xrefs: 00007FF6D1A14907
N, xrefs: 00007FF6D1A149A1
Q, xrefs: 00007FF6D1A1495F
N, xrefs: 00007FF6D1A148FC
[, xrefs: 00007FF6D1A14954
X, xrefs: 00007FF6D1A14928
P, xrefs: 00007FF6D1A1491D
O, xrefs: 00007FF6D1A149E3
P, xrefs: 00007FF6D1A14949
a, xrefs: 00007FF6D1A148DB
P, xrefs: 00007FF6D1A14933
R, xrefs: 00007FF6D1A14912

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: N$N$O$P$P$P$P$Q$Q$R$T$X$[$a
API String ID: 118556049-1232599636
Opcode ID: 20526998b8988f78cd21115ff37124318368c70020baa30d7db42bc1421c1abe
Instruction ID: 74fe2adce811fb0ceae1a3113c3ea182666aef951f929e12a9aff8fa6b682574
Opcode Fuzzy Hash: 20526998b8988f78cd21115ff37124318368c70020baa30d7db42bc1421c1abe
Instruction Fuzzy Hash: 02F1052651C2C789E334AF61A4003FA72A0EF5D752F441127E6C8C7EA9EFBC9095DB19

Function 00007FF6D1A14829 Relevance: 17.7, Strings: 14, Instructions: 231COMMON

Download Yara Rule

Strings

Q, xrefs: 00007FF6D1A1496A
T, xrefs: 00007FF6D1A1493E
P, xrefs: 00007FF6D1A14907
N, xrefs: 00007FF6D1A149A1
Q, xrefs: 00007FF6D1A1495F
N, xrefs: 00007FF6D1A148FC
[, xrefs: 00007FF6D1A14954
X, xrefs: 00007FF6D1A14928
P, xrefs: 00007FF6D1A1491D
O, xrefs: 00007FF6D1A149E3
P, xrefs: 00007FF6D1A14949
a, xrefs: 00007FF6D1A148DB
P, xrefs: 00007FF6D1A14933
R, xrefs: 00007FF6D1A14912

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID: N$N$O$P$P$P$P$Q$Q$R$T$X$[$a
API String ID: 0-1232599636
Opcode ID: 62dec090b05366c7930d13f8a2536d044ff7e4f22b4e3bf1603fba085d84260f
Instruction ID: 570b0a5053558fd943f93263bb349ac77fd5cdaf8700e946e8e4aaee92988884
Opcode Fuzzy Hash: 62dec090b05366c7930d13f8a2536d044ff7e4f22b4e3bf1603fba085d84260f
Instruction Fuzzy Hash: 77C1E26A41C2D699E334AF61B4002FA72F0EF6D712F441027E6C8CB964EBBC9495DB19

Function 00007FF6D1A12080 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: bcc522ad164ec71077b224b85bf57e0b85936017b5a76643d16e068dd161eebf
Instruction ID: 6b45b2afafe8432bb7fb9ff4581741e725016f4be6b8baf1b531232ed0be05e2
Opcode Fuzzy Hash: bcc522ad164ec71077b224b85bf57e0b85936017b5a76643d16e068dd161eebf
Instruction Fuzzy Hash: 8E81B423F097D18EF711CB78D0402DE2B719752758F29117BEE89A7A8BCE69C059C311

Function 00007FF6D1A18E6E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__scrt_release_startup_lock.LIBCMT ref: 00007FF6D1A18EC2

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: __scrt_release_startup_lock
String ID:
API String ID: 2859049428-0
Opcode ID: 3a7145f297a69d0bfe977736fc6b898314a2e90bfbc9611b7a7b1bc9e8a2ae86
Instruction ID: cb9fabeb70f2437702af1968bc995e3e8e64344535f45032857f1a597a06216c
Opcode Fuzzy Hash: 3a7145f297a69d0bfe977736fc6b898314a2e90bfbc9611b7a7b1bc9e8a2ae86
Instruction Fuzzy Hash: B811D054E0C60740FB1CAB6595593BC23926F45784F4C803BE94ECB2E7DEECA4E9C240

Function 00007FF6D1A18E53 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__scrt_release_startup_lock.LIBCMT ref: 00007FF6D1A18EC2

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: __scrt_release_startup_lock
String ID:
API String ID: 2859049428-0
Opcode ID: fa0f252501f3f2742ea05a619e7df9e583601b5c087aa2cd33d14fecda7aa1c5
Instruction ID: 9a6e7fdb45a87fabdaf807205f71bc8f7a3ad9accf64d52d96b8005799d1c300
Opcode Fuzzy Hash: fa0f252501f3f2742ea05a619e7df9e583601b5c087aa2cd33d14fecda7aa1c5
Instruction Fuzzy Hash: 7AF06D52E4828305F749ABA9941A3ED16C09F5AB84F8C403BE64DCB7D7DEECA4E0C351

Function 00007FF6D1F527BF Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e7c0f926aea09caf6c399ef6a50be090225b01dcdf77fadaf261c9bfcd1a08
Instruction ID: 135d29669294ff86cea4298a246d923f46629b4c425e3148a7d87bea8966ed90
Opcode Fuzzy Hash: 19e7c0f926aea09caf6c399ef6a50be090225b01dcdf77fadaf261c9bfcd1a08
Instruction Fuzzy Hash: D431C827D0CE47A5F310AB60E4013AD73A0EB41764FA08732E6A963AD6DF7CD566CA40

Function 00007FF6D1A18EE1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: CheckCommonHandler
String ID:
API String ID: 327083040-0
Opcode ID: b88b7c4c18471a47f4ec760ce875855afe0eb3238f8be503d38711a40805983c
Instruction ID: 1c42edf846021839efc621788b701674f927e25996fb3b6779d2c9e06b342ad0
Opcode Fuzzy Hash: b88b7c4c18471a47f4ec760ce875855afe0eb3238f8be503d38711a40805983c
Instruction Fuzzy Hash: E8014F15F0861341FB5CAF69D4563BD12925F85B84F4C4037EA4ECB2EBCEACA4E5C201

Non-executed Functions

Function 00007FF6D1A151A0 Relevance: 9.4, Strings: 7, Instructions: 606COMMON

Download Yara Rule

Strings

1, xrefs: 00007FF6D1A152D4
p, xrefs: 00007FF6D1A15697
@, xrefs: 00007FF6D1A159F8
4, xrefs: 00007FF6D1A1573C
,, xrefs: 00007FF6D1A156AE
open, xrefs: 00007FF6D1A15A05
3, xrefs: 00007FF6D1A15685

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID: ,$1$3$4$@$open$p
API String ID: 0-229975635
Opcode ID: 8df138462eeabb41d687935a3eaabc3d117dbc3e59e996a2eecb12f495e28aee
Instruction ID: d0b7833b21a131a2e39b60e2f70cec988a91ebe5b07082e2d3e4ec43198c4877
Opcode Fuzzy Hash: 8df138462eeabb41d687935a3eaabc3d117dbc3e59e996a2eecb12f495e28aee
Instruction Fuzzy Hash: F6528652B1C7C282F3249B34E1413AF62A1FF99754F546227DAD943AA5EFBCD0A4CB01

Function 00007FF6D1A135C0 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FF6D1A1361F
.exe, xrefs: 00007FF6D1A13779

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID: .exe$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 0-3475866225
Opcode ID: f7c7b438abd5ca9310f52f0f85a43bbb0fb50ce0d79b2b482dfe91db25cf84fe
Instruction ID: 6e2831bb63031cd3b4316f108ac8e99829adc07b2f00a443c8027564d2abf214
Opcode Fuzzy Hash: f7c7b438abd5ca9310f52f0f85a43bbb0fb50ce0d79b2b482dfe91db25cf84fe
Instruction Fuzzy Hash: 49510672B18A4286FB18DF15E41126E73A1FB89B94F585233EA5E83B94DFBCD0958700

Function 00007FF6D1A11340 Relevance: 2.1, Strings: 1, Instructions: 872COMMON

Download Yara Rule

Strings

7, xrefs: 00007FF6D1A11E88

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: 7
API String ID: 118556049-1790921346
Opcode ID: b2737044ff89ba36c1b9aeea0ff9260507a77ebf1d496965ca72bb0daf758518
Instruction ID: feb81753593cd2a393f047e2609d3f02c9b36f2e8e48892775272dca629fa30c
Opcode Fuzzy Hash: b2737044ff89ba36c1b9aeea0ff9260507a77ebf1d496965ca72bb0daf758518
Instruction Fuzzy Hash: B282A65714D2C18DF3328638A1503DFAF61D3AA34CF4A225AE6CC5BA5BC56DC354CB2A

Function 00007FF6D1A12340 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

(, xrefs: 00007FF6D1A126D2

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: (
API String ID: 118556049-3887548279
Opcode ID: 87e050a01c2f84486b2e69923ed983f1533155b83d6f5790c50db7bdb1aab978
Instruction ID: e06b5c7727d2d385ce4fd4601391e4f90f4319e2f1fdc64971f4e5f3f99dc13f
Opcode Fuzzy Hash: 87e050a01c2f84486b2e69923ed983f1533155b83d6f5790c50db7bdb1aab978
Instruction Fuzzy Hash: 21F12C1760D2D18CF7318634A0103DF6FA1D3AA348F49225BEADD47B9ACA7DC294CB25

Function 00007FF6D1A13320 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 2d47d9c28d1a1ccf0160a7d7af5898d712e7d17526abca064be7e954f6542090
Instruction ID: 421cf81ab56c5b435ed667a00fc38c8f1a13074e7eea773bb5ac820bd8f0aa67
Opcode Fuzzy Hash: 2d47d9c28d1a1ccf0160a7d7af5898d712e7d17526abca064be7e954f6542090
Instruction Fuzzy Hash: 8381D222F18B928DFB05CF7585002ED27B4BB047A8F545227DE2D67B99EF789282C350

Function 00007FF6D1A2504C Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6086aef77cd855c08f85d3a7d53ade566dda5672c1de5db5f106793458621cf8
Instruction ID: 1e33261a7a5e3ef66ca4e12f30508ba17e63d1548f9484e6c2f26b28b5f755ea
Opcode Fuzzy Hash: 6086aef77cd855c08f85d3a7d53ade566dda5672c1de5db5f106793458621cf8
Instruction Fuzzy Hash: DD41B422B9C353C6FB54CA14C1456BC63B1AB20BD0FB94932DA49C35D0DFADF9E29610

Function 00007FF6D1A18880 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: 4c1ed86cdca4fa4f75663e835828f6a075ffdd3c24583286aef981495e7c25e7
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: E7419333B2154587E78CCF2AC8126AD33A2F398304F59C23EDA0AC7385DA399916CB44

Function 00007FF6D1BED2F1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998b2b409ac451f3d4330ede5d3e53ecbbe195862da57dce0cf18ab0a21d63a1
Instruction ID: 491f3d0525ac184a668cea5de97010920c940de2c464bbdb9daeda8876c9325e
Opcode Fuzzy Hash: 998b2b409ac451f3d4330ede5d3e53ecbbe195862da57dce0cf18ab0a21d63a1
Instruction Fuzzy Hash: 3821382BA0DA53D1F315AB70D8012BEA721EF89740F621132E64D93196DF7D9621C740

Function 00007FF6D1F53225 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043157024.00007FF6D1C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D1A10000, based on PE: true

Associated: 00000000.00000002.2042912058.00007FF6D1A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042926069.00007FF6D1A11000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042940995.00007FF6D1A1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042956036.00007FF6D1A1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042970258.00007FF6D1A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042983320.00007FF6D1A21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043008850.00007FF6D1A55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043023722.00007FF6D1A5B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043142047.00007FF6D1C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2043372118.00007FF6D1F9B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d1a10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42df28e9223e5a5899914025b505a720c0af53277bf332d239a0464e7c9d96f1
Instruction ID: c307711a635009c33b43c877062df9661ccad5bc9fcb6e646139c7f42f9f2476
Opcode Fuzzy Hash: 42df28e9223e5a5899914025b505a720c0af53277bf332d239a0464e7c9d96f1
Instruction Fuzzy Hash: 0AE0C285E5C802C0F3202274AC083BC1A509B44310F549233F5DDC77CACEAD9926A281

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: file.exePID: 3556, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 3556, Parent PID: 1028COMMON

Executed Functions

Function 00007FF6D1A14860 Relevance: 26.6, Strings: 21, Instructions: 382COMMON

Function 00007FF6D1A1435B Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 310COMMON

Function 00007FF6D1A14829 Relevance: 17.7, Strings: 14, Instructions: 231COMMON

Function 00007FF6D1A12080 Relevance: .2, Instructions: 196COMMON

Function 00007FF6D1A18E6E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Windows Analysis Report
file.exe