Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ref_31020563.exe

Overview

General Information

Sample name:Ref_31020563.exe
Analysis ID:1572489
MD5:7c8431a3c14296cff7381cc69b61bad8
SHA1:d3d20ede9527fdbeb8252118af55558037721630
SHA256:881d0d3e98524b861548955ed7ced7f91de3a39d50feb573896694188e7fecff
Tags:exeuser-TeamDreier
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • Ref_31020563.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\Ref_31020563.exe" MD5: 7C8431A3C14296CFF7381CC69B61BAD8)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Ref_31020563.exeReversingLabs: Detection: 36%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: Ref_31020563.exeJoe Sandbox ML: detected
Source: Ref_31020563.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: Ref_31020563.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: global trafficHTTP traffic detected: GET /AQBP HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /AQBP HTTP/1.1Host: oshi.at
Source: Joe Sandbox ViewIP Address: 5.253.86.15 5.253.86.15
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /AQBP HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /AQBP HTTP/1.1Host: oshi.at
Source: global trafficDNS traffic detected: DNS query: oshi.at
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Dec 2024 15:24:29 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
Source: Ref_31020563.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: Ref_31020563.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: Ref_31020563.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: Ref_31020563.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: Ref_31020563.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: Ref_31020563.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: Ref_31020563.exeString found in binary or memory: http://ocsps.ssl.com0
Source: Ref_31020563.exeString found in binary or memory: http://ocsps.ssl.com0?
Source: Ref_31020563.exeString found in binary or memory: http://ocsps.ssl.com0_
Source: Ref_31020563.exe, 00000000.00000002.2920438184.00000000030EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.at
Source: Ref_31020563.exe, 00000000.00000002.2920438184.00000000030EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.atd
Source: Ref_31020563.exe, 00000000.00000002.2920438184.00000000030DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ref_31020563.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Ref_31020563.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: Ref_31020563.exe, 00000000.00000002.2920438184.0000000003107000.00000004.00000800.00020000.00000000.sdmp, Ref_31020563.exe, 00000000.00000002.2920438184.000000000310B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/somenonymous/OshiUpload
Source: Ref_31020563.exe, 00000000.00000002.2920438184.000000000310B000.00000004.00000800.00020000.00000000.sdmp, Ref_31020563.exe, 00000000.00000002.2920438184.00000000030DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at
Source: Ref_31020563.exe, 00000000.00000002.2920438184.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/AQBP
Source: Ref_31020563.exeString found in binary or memory: https://oshi.at/AQBPKPAMhkUWREVZAdqU4bM.xStpkLwqD15MRB9YwOo
Source: Ref_31020563.exe, 00000000.00000002.2920438184.000000000310B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/AQBPd
Source: Ref_31020563.exe, 00000000.00000002.2920438184.0000000003071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/AQBPtocq
Source: Ref_31020563.exeString found in binary or memory: https://www.ssl.com/repository0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: Ref_31020563.exeStatic PE information: invalid certificate
Source: Ref_31020563.exe, 00000000.00000002.2919593971.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ref_31020563.exe
Source: Ref_31020563.exe, 00000000.00000000.1673474006.0000000000CDB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRef#.exe8 vs Ref_31020563.exe
Source: Ref_31020563.exeBinary or memory string: OriginalFilenameRef#.exe8 vs Ref_31020563.exe
Source: Ref_31020563.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\Ref_31020563.exeMutant created: NULL
Source: Ref_31020563.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ref_31020563.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Ref_31020563.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Ref_31020563.exeReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeSection loaded: gpapi.dllJump to behavior
Source: Ref_31020563.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Ref_31020563.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeMemory allocated: 5070000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599656Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599547Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599435Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599328Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599219Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599094Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598984Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598656Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598547Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598437Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598328Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598219Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598094Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597984Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597765Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597656Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597547Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597437Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597327Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597215Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597109Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597000Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596891Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596641Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596531Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596422Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596305Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596203Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596094Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595984Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595641Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595516Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595406Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595295Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595187Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595078Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594968Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594859Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594750Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594640Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594531Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeWindow / User API: threadDelayed 8512Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeWindow / User API: threadDelayed 1340Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep count: 35 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -32281802128991695s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8036Thread sleep count: 8512 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8036Thread sleep count: 1340 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599766s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599656s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599435s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599328s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599219s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -599094s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598984s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598766s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598656s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598437s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598328s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598219s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -598094s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597984s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597765s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597656s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597437s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597327s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597215s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597109s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -597000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596891s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596766s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596641s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596531s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596422s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596305s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596203s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -596094s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595984s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595766s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595641s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595516s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595406s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595295s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595187s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -595078s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -594968s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -594859s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -594750s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -594640s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exe TID: 8032Thread sleep time: -594531s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599656Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599547Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599435Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599328Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599219Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 599094Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598984Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598656Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598547Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598437Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598328Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598219Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 598094Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597984Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597765Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597656Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597547Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597437Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597327Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597215Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597109Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 597000Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596891Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596641Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596531Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596422Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596305Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596203Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 596094Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595984Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595875Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595766Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595641Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595516Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595406Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595295Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595187Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 595078Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594968Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594859Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594750Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594640Jump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeThread delayed: delay time: 594531Jump to behavior
Source: Ref_31020563.exe, 00000000.00000002.2919593971.00000000012AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: C:\Users\user\Desktop\Ref_31020563.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeQueries volume information: C:\Users\user\Desktop\Ref_31020563.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Ref_31020563.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
Disable or Modify Tools
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts31
Virtualization/Sandbox Evasion
LSASS Memory31
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS12
System Information Discovery
Distributed Component Object ModelInput Capture3
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Ref_31020563.exe37%ReversingLabsWin32.Trojan.Barys
Ref_31020563.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://oshi.at/AQBPKPAMhkUWREVZAdqU4bM.xStpkLwqD15MRB9YwOo0%Avira URL Cloudsafe
http://ocsps.ssl.com0?0%Avira URL Cloudsafe
https://oshi.at0%Avira URL Cloudsafe
https://oshi.at/AQBPd0%Avira URL Cloudsafe
http://oshi.at0%Avira URL Cloudsafe
http://oshi.atd0%Avira URL Cloudsafe
http://ocsps.ssl.com00%Avira URL Cloudsafe
http://ocsps.ssl.com0_0%Avira URL Cloudsafe
https://oshi.at/AQBPtocq0%Avira URL Cloudsafe
https://oshi.at/AQBP0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
oshi.at
5.253.86.15
truefalse
    high
    NameMaliciousAntivirus DetectionReputation
    https://oshi.at/AQBPfalse
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0Ref_31020563.exefalse
      high
      http://oshi.atdRef_31020563.exe, 00000000.00000002.2920438184.00000000030EB000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://crls.ssl.com/ssl.com-rsa-RootCA.crl0Ref_31020563.exefalse
        high
        http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0Ref_31020563.exefalse
          high
          http://oshi.atRef_31020563.exe, 00000000.00000002.2920438184.00000000030EB000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://github.com/somenonymous/OshiUploadRef_31020563.exe, 00000000.00000002.2920438184.0000000003107000.00000004.00000800.00020000.00000000.sdmp, Ref_31020563.exe, 00000000.00000002.2920438184.000000000310B000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://www.ssl.com/repository0Ref_31020563.exefalse
              high
              http://ocsps.ssl.com0?Ref_31020563.exefalse
              • Avira URL Cloud: safe
              unknown
              http://ocsps.ssl.com0_Ref_31020563.exefalse
              • Avira URL Cloud: safe
              unknown
              http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0Ref_31020563.exefalse
                high
                https://oshi.atRef_31020563.exe, 00000000.00000002.2920438184.000000000310B000.00000004.00000800.00020000.00000000.sdmp, Ref_31020563.exe, 00000000.00000002.2920438184.00000000030DA000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0QRef_31020563.exefalse
                  high
                  http://ocsps.ssl.com0Ref_31020563.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  https://oshi.at/AQBPKPAMhkUWREVZAdqU4bM.xStpkLwqD15MRB9YwOoRef_31020563.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  https://oshi.at/AQBPtocqRef_31020563.exe, 00000000.00000002.2920438184.0000000003071000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0Ref_31020563.exefalse
                    high
                    http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0Ref_31020563.exefalse
                      high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRef_31020563.exe, 00000000.00000002.2920438184.00000000030DA000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0Ref_31020563.exefalse
                          high
                          https://oshi.at/AQBPdRef_31020563.exe, 00000000.00000002.2920438184.000000000310B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          5.253.86.15
                          oshi.atCyprus
                          208046HOSTSLICK-GERMANYNLfalse
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1572489
                          Start date and time:2024-12-10 16:22:05 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 56s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:5
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Ref_31020563.exe
                          Detection:MAL
                          Classification:mal56.winEXE@1/0@1/1
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 6
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target Ref_31020563.exe, PID 7360 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: Ref_31020563.exe
                          TimeTypeDescription
                          10:24:29API Interceptor283x Sleep call for process: Ref_31020563.exe modified
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          5.253.86.15Ref#60031796.exeGet hashmaliciousAgentTeslaBrowse
                            Ref#1550238.exeGet hashmaliciousUnknownBrowse
                              JuneOrder.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                                TamenuV11.msiGet hashmaliciousUnknownBrowse
                                  9K25QyJ4hA.exeGet hashmaliciousUnknownBrowse
                                    9K25QyJ4hA.exeGet hashmaliciousUnknownBrowse
                                      PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                        PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                          VGuSHbkIxk.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                            wauCcRjr6j.exeGet hashmaliciousDjvu, RedLine, SmokeLoaderBrowse
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              oshi.atRef#116670.exeGet hashmaliciousMassLogger RATBrowse
                                              • 194.15.112.248
                                              Ref#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                              • 194.15.112.248
                                              Ref#1550238.exeGet hashmaliciousAgentTeslaBrowse
                                              • 194.15.112.248
                                              Ref#1550238.exeGet hashmaliciousUnknownBrowse
                                              • 5.253.86.15
                                              Swift Payment MT103.lnkGet hashmaliciousUnknownBrowse
                                              • 188.241.120.6
                                              Facturation.exeGet hashmaliciousDoeneriumBrowse
                                              • 188.241.120.6
                                              Facturation.exeGet hashmaliciousDoeneriumBrowse
                                              • 188.241.120.6
                                              KyrazonSetup.exeGet hashmaliciousUnknownBrowse
                                              • 194.15.112.248
                                              KyrazonSetup.exeGet hashmaliciousUnknownBrowse
                                              • 194.15.112.248
                                              JuneOrder.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                                              • 5.253.86.15
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              HOSTSLICK-GERMANYNLRef#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                              • 5.253.86.15
                                              Ref#1550238.exeGet hashmaliciousUnknownBrowse
                                              • 5.253.86.15
                                              an_api.exeGet hashmaliciousUnknownBrowse
                                              • 193.142.146.64
                                              licarisan_api.exeGet hashmaliciousIcarusBrowse
                                              • 193.142.146.64
                                              an_api.exeGet hashmaliciousUnknownBrowse
                                              • 193.142.146.64
                                              build.exeGet hashmaliciousUnknownBrowse
                                              • 193.142.146.64
                                              ub16vsLP6y.zipGet hashmaliciousRemcosBrowse
                                              • 193.142.146.203
                                              ISehgzqm2V.zipGet hashmaliciousRemcosBrowse
                                              • 193.142.146.203
                                              Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                                              • 193.142.146.64
                                              Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                                              • 193.142.146.64
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0exUPaeKk5wQ.msiGet hashmaliciousAteraAgentBrowse
                                              • 5.253.86.15
                                              7gBUqzSN3y.msiGet hashmaliciousAteraAgentBrowse
                                              • 5.253.86.15
                                              PO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                              • 5.253.86.15
                                              New Order Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                              • 5.253.86.15
                                              Bunker_STS_pdf.vbsGet hashmaliciousUnknownBrowse
                                              • 5.253.86.15
                                              Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 5.253.86.15
                                              Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 5.253.86.15
                                              E-dekont.exeGet hashmaliciousMassLogger RATBrowse
                                              • 5.253.86.15
                                              Hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 5.253.86.15
                                              ple.batGet hashmaliciousUnknownBrowse
                                              • 5.253.86.15
                                              No context
                                              No created / dropped files found
                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):3.503258515872725
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Ref_31020563.exe
                                              File size:180'704 bytes
                                              MD5:7c8431a3c14296cff7381cc69b61bad8
                                              SHA1:d3d20ede9527fdbeb8252118af55558037721630
                                              SHA256:881d0d3e98524b861548955ed7ced7f91de3a39d50feb573896694188e7fecff
                                              SHA512:43029de7a6896a3e9b1037c02658b25ef222fa891f22551c6e934c6d0fe1a4a127e5f7f3d37490ede23be27534410dbd2ac846c0722c3ff909be3933bb166f8b
                                              SSDEEP:384:eNuji6i2UKsMQmZjVBjN4IXQxxkSlSlSlSlSlKlfalfalfalfalfalfalfalfalt:sH22m5vHzhVCa3K6XiFZKj
                                              TLSH:43041A63B53CC4E2F89C3DF09A5997256AB16E920238F087E54FBDC6E8B3623C6051D5
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9Xg............................^+... ...@....@.. ....................................`................................
                                              Icon Hash:07d8d8d4d4d85026
                                              Entrypoint:0x402b5e
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6758390D [Tue Dec 10 12:50:21 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                              Signature Valid:false
                                              Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                              Signature Validation Error:The digital signature of the object did not verify
                                              Error Number:-2146869232
                                              Not Before, Not After
                                              • 04/07/2024 00:35:32 15/05/2027 11:15:04
                                              Subject Chain
                                              • OID.1.3.6.1.4.1.311.60.2.1.3=VN, OID.2.5.4.15=Private Organization, CN="DUC FABULOUS CO.,LTD", SERIALNUMBER=0105838409, O="DUC FABULOUS CO.,LTD", L=Hanoi, C=VN
                                              Version:3
                                              Thumbprint MD5:FF0E889D2A73C3A679605952D35452DC
                                              Thumbprint SHA-1:2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C
                                              Thumbprint SHA-256:A73352D67693AA16BCE2F182B15891F0F23EA0485CC18938686AAFDEE7B743E3
                                              Serial:6DD2E3173995F51BFAC1D9FB4CB200C1
                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2b080x53.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x29276.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x2a4000x1de0.rsrc
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xb640xc004b0bc13289f9896f4f7af2fcb8f4e52fFalse0.5716145833333334data5.189697873641547IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x40000x292760x2940004ee348ac2debaee0968c396aa0f5c6cFalse0.0558297821969697data3.0574613817425944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x2e0000xc0x200d41fb489799b709e37a733d4ed02be14False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x42b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.17375886524822695
                                              RT_ICON0x47180x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.11229508196721312
                                              RT_ICON0x50a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.06941838649155722
                                              RT_ICON0x61480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.03973029045643153
                                              RT_ICON0x86f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.029168634860651865
                                              RT_ICON0xc9180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.03022181146025878
                                              RT_ICON0x11da00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.019261088921589238
                                              RT_ICON0x1b2480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.023837690760676683
                                              RT_ICON0x2ba700x1285PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8517190466146383
                                              RT_GROUP_ICON0x2ccf80x84data0.7272727272727273
                                              RT_VERSION0x2cd7c0x310data0.4489795918367347
                                              RT_MANIFEST0x2d08c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                              DLLImport
                                              mscoree.dll_CorExeMain
                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 10, 2024 16:22:57.523463011 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:22:57.523504019 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:22:57.523617029 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:22:57.537086964 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:22:57.537102938 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:22:59.311481953 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:22:59.311620951 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:22:59.336715937 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:22:59.336736917 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:22:59.337033033 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:22:59.385651112 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:22:59.425226927 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:22:59.471342087 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:24:29.847626925 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:24:29.847664118 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:24:29.847734928 CET443497405.253.86.15192.168.2.4
                                              Dec 10, 2024 16:24:29.847760916 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:24:29.847807884 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:24:29.874183893 CET49740443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:24:29.883008003 CET49814443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:24:29.883064985 CET443498145.253.86.15192.168.2.4
                                              Dec 10, 2024 16:24:29.883135080 CET49814443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:24:29.883440971 CET49814443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:24:29.883452892 CET443498145.253.86.15192.168.2.4
                                              Dec 10, 2024 16:24:31.654795885 CET443498145.253.86.15192.168.2.4
                                              Dec 10, 2024 16:24:31.663417101 CET49814443192.168.2.45.253.86.15
                                              Dec 10, 2024 16:24:31.663428068 CET443498145.253.86.15192.168.2.4
                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 10, 2024 16:22:57.170756102 CET5039753192.168.2.41.1.1.1
                                              Dec 10, 2024 16:22:57.518137932 CET53503971.1.1.1192.168.2.4
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 10, 2024 16:22:57.170756102 CET192.168.2.41.1.1.10xd38aStandard query (0)oshi.atA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 10, 2024 16:22:57.518137932 CET1.1.1.1192.168.2.40xd38aNo error (0)oshi.at5.253.86.15A (IP address)IN (0x0001)false
                                              Dec 10, 2024 16:22:57.518137932 CET1.1.1.1192.168.2.40xd38aNo error (0)oshi.at194.15.112.248A (IP address)IN (0x0001)false
                                              • oshi.at
                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.4497405.253.86.154437360C:\Users\user\Desktop\Ref_31020563.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-10 15:22:59 UTC61OUTGET /AQBP HTTP/1.1
                                              Host: oshi.at
                                              Connection: Keep-Alive
                                              2024-12-10 15:24:29 UTC158INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Tue, 10 Dec 2024 15:24:29 GMT
                                              Content-Type: text/html;charset=UTF-8
                                              Content-Length: 1849
                                              Connection: close
                                              2024-12-10 15:24:29 UTC1849INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.4498145.253.86.154437360C:\Users\user\Desktop\Ref_31020563.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-10 15:24:31 UTC37OUTGET /AQBP HTTP/1.1
                                              Host: oshi.at


                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Target ID:0
                                              Start time:10:22:56
                                              Start date:10/12/2024
                                              Path:C:\Users\user\Desktop\Ref_31020563.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Ref_31020563.exe"
                                              Imagebase:0xcb0000
                                              File size:180'704 bytes
                                              MD5 hash:7C8431A3C14296CFF7381CC69B61BAD8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:false

                                              Reset < >
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2920095435.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1410000_Ref_31020563.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tocq
                                                • API String ID: 0-4013956356
                                                • Opcode ID: 9a936abfe664007f55ed2b7935d1aaabf7a17638442517825b1e32a25965d853
                                                • Instruction ID: 0c0e843bd969f4bb4e4e2cf0ab1b574bc0675ae7a30a7f29c1226576a1733803
                                                • Opcode Fuzzy Hash: 9a936abfe664007f55ed2b7935d1aaabf7a17638442517825b1e32a25965d853
                                                • Instruction Fuzzy Hash: AC216B70A501188FDB58DF68D564AAE7BF2AF8C300F20846AE406FB3A4DB349C85CB51
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2920095435.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1410000_Ref_31020563.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tocq
                                                • API String ID: 0-4013956356
                                                • Opcode ID: 81b73b09509938a8b6ba96f0c7c7de09b28c4513f51b948ef45c895926c5d4c1
                                                • Instruction ID: 47c9cc1a812c6672f0fe0ea47515f21b32cc4b0a14475031e68a3e6fb497479a
                                                • Opcode Fuzzy Hash: 81b73b09509938a8b6ba96f0c7c7de09b28c4513f51b948ef45c895926c5d4c1
                                                • Instruction Fuzzy Hash: A8213D70A101189FDB14DF69D554AAE7BF2AF8C700F10446AE506FB3A4DB349C45CBA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2920095435.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1410000_Ref_31020563.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: <duq
                                                • API String ID: 0-2704095200
                                                • Opcode ID: 8062d46660ae8bd38c44389461a58bc913cc90ff570288e4d6a9673a6f52e665
                                                • Instruction ID: 25d0094ce54d05e57ebc33c0533987f2f2bca7ea343d035a31c5827ca00dda2f
                                                • Opcode Fuzzy Hash: 8062d46660ae8bd38c44389461a58bc913cc90ff570288e4d6a9673a6f52e665
                                                • Instruction Fuzzy Hash: F6F0C2313042494FC754CB78E8949A93BF1AFC9320B2100EAF404CB3A2CA74CC02CB91
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2920095435.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1410000_Ref_31020563.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: <duq
                                                • API String ID: 0-2704095200
                                                • Opcode ID: c5e4c0b546c14667de8f34c4bf1b2e57bfce961d312a5d0488a6516137525eec
                                                • Instruction ID: e4f397532ca16805ba948473191dac17ec69f5146f3a2c3c480e9e3f166520bd
                                                • Opcode Fuzzy Hash: c5e4c0b546c14667de8f34c4bf1b2e57bfce961d312a5d0488a6516137525eec
                                                • Instruction Fuzzy Hash: 08F082317401144FC304DB79D448E6A37E6EBCD721F2100A5F509CB3A1DE61DC018791
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2920095435.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1410000_Ref_31020563.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 958bbc0f3483f240476dda64e26e0eb6503f427c295d643579208fccaa1054dd
                                                • Instruction ID: 56b791d65fc80ed982a0477e540b5313908051068856e634b0e1345aa827dd88
                                                • Opcode Fuzzy Hash: 958bbc0f3483f240476dda64e26e0eb6503f427c295d643579208fccaa1054dd
                                                • Instruction Fuzzy Hash: 06D0A7317142644FCB0067BCD81848937BA9F4B350B0100A2F449CB361DA35DC02CBD6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2920095435.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1410000_Ref_31020563.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b38e976d0a9ac5b61401a7a29f70d88bd9de41d4c95242550556b847e4db251e
                                                • Instruction ID: 3086892268e0f28a19849d28ad5b182a0fa10d00b19e4e13c18e5f1378cea335
                                                • Opcode Fuzzy Hash: b38e976d0a9ac5b61401a7a29f70d88bd9de41d4c95242550556b847e4db251e
                                                • Instruction Fuzzy Hash: DFC040314055848FD7169B54D9151303B32DF4370431641DBC5855B557C5353C57DB57