Edit tour

Windows Analysis Report
yoyf.exe

Overview

General Information

Sample name:	yoyf.exe
Analysis ID:	1577489
MD5:	e3dcc770ca9c865a719c2b1f1c5b174e
SHA1:	3690617064fbcccba9eacc76be2e00cd34bac830
SHA256:	7a41fa61102269baa65f7f762cf868c3c6a506fb58b590b6ae1352b864f2831e
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

yoyf.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\yoyf.exe" MD5: E3DCC770CA9C865A719C2B1F1C5B174E)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yoyf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: yoyf.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown

HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: yoyf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\yoyf.exe

Code function: 4x nop then mov ecx, dword ptr [ebp-5Ch]

0_2_016EA58D

Source: global traffic

HTTP traffic detected: GET /ByQRHy3/126-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ByQRHy3/126-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: i.ibb.co

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Dec 2024 13:15:51 GMTContent-Type: image/pngContent-Length: 1031Connection: close

Source: yoyf.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: yoyf.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: yoyf.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: yoyf.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: yoyf.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: yoyf.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: yoyf.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: yoyf.exe, 00000000.00000002.1327142394.00000000030F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.co
Source: yoyf.exe, 00000000.00000002.1327142394.00000000030F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.cod
Source: yoyf.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: yoyf.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: yoyf.exe	String found in binary or memory: http://ocsp.sectigo.com0;
Source: yoyf.exe, 00000000.00000002.1327142394.00000000030DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: yoyf.exe, 00000000.00000002.1327142394.00000000030DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: yoyf.exe	String found in binary or memory: https://i.ibb.co/ByQRHy3/126-Final.webp
Source: yoyf.exe, 00000000.00000002.1327142394.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co/ByQRHy3/126-Final.webpT
Source: yoyf.exe, 00000000.00000002.1327142394.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co/ByQRHy3/126-Final.webpt
Source: yoyf.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 91.134.10.182:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E5998	0_2_016E5998
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E9AB8	0_2_016E9AB8
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E0C50	0_2_016E0C50
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E543C	0_2_016E543C
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E4CC4	0_2_016E4CC4
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E0C28	0_2_016E0C28

Source: yoyf.exe, 00000000.00000000.1299455078.0000000000C60000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTestConnection.exeB vs yoyf.exe
Source: yoyf.exe, 00000000.00000002.1326325480.000000000131E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs yoyf.exe
Source: yoyf.exe	Binary or memory string: OriginalFilenameTestConnection.exeB vs yoyf.exe

Source: classification engine

Classification label: mal64.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\yoyf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yoyf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

Mutant created: NULL

Source: yoyf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yoyf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\yoyf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yoyf.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: yoyf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: yoyf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(_0024VB_0024Me.zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{_0024VB_0024Me.Km40W();}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{object logTextBox = LogTextBox;NewLateBinding.LateSet(logTextBox, (Type)null, "Text", new object[1] { Operators.AddObject(NewLateBinding.LateGet(logTextBox, (Type)null, "Text", new object[0], (string[])null, (Type[])null, (bool[])null), (object)(g6Q3C + Environment.NewLine)) }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{NewLateBinding.LateSet(LogTextBox, (Type)null, "Text", new object[1] { "" }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{NewLateBinding.LateSet(LabelStatus, (Type)null, "Text", new object[1] { j4HAa }, (string[])null, (Type[])null);NewLateBinding.LateSet(LabelStatus, (Type)null, "BackColor", new object[1] { z6APa }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{NewLateBinding.LateSetComplex(StartValueTextbox, (Type)null, "Text", new object[1] { e7R9E }, (string[])null, (Type[])null, false, true);NewLateBinding.LateSetComplex(NewLateBinding.LateGet(zmort, (Type)null, "Settings", new object[0], (string[])null, (Type[])null, (bool[])null), (Type)null, "CurrentDNI", new object[1] { e7R9E }, (string[])null, (Type[])null, false, true);NewLateBinding.LateSetComplex(NewLateBinding.LateGet(zmort, (Type)null, "Settings", new object[0], (string[])null, (Type[])null, (bool[])null), (Type)null, "LastDNI", new object[1] { NewLateBinding.LateGet(EndValueTextbox, (Type)null, "Text", new object[0], (string[])null, (Type[])null, (bool[])null) }, (string[])null, (Type[])null, false, true);NewLateBinding.LateCall(NewLateBinding.LateGet(zmort, (Type)null, "Settings", new object[0], (string[])null, (Type[])null, (bool[])null), (Type)null, "Save", new object[0], (string[])null, (Type[])null, (bool[])null, true);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, s0J7Z.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", obj2, (string[])null, (Type[])null, obj3, true)
Source: yoyf.exe, s0J7Z.cs	.Net Code: NewLateBinding.LateCall(typeFromHandle, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E58F0 pushfd ; iretd		0_2_016E5991
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_016E0006 pushfd ; ret		0_2_016E001D

Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Memory allocated: 16E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Window / User API: threadDelayed 1238			Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Window / User API: threadDelayed 3065			Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7460	Thread sleep count: 1238 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7460	Thread sleep count: 3065 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99212s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -98853s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -98691s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -98427s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -98088s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7392	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7432	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 7372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99212	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 98853	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 98691	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 98427	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 98088	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: yoyf.exe, 00000000.00000002.1326325480.0000000001390000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yoyf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Queries volume information: C:\Users\user\Desktop\yoyf.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yoyf.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Privateloader
yoyf.exe	100%	Avira	HEUR/AGEN.1362869

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://i.ibb.cod	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
i.ibb.co	91.134.10.182	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://i.ibb.co/ByQRHy3/126-Final.webp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	yoyf.exe	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	yoyf.exe	false		high
https://sectigo.com/CPS0	yoyf.exe	false		high
https://i.ibb.co	yoyf.exe, 00000000.00000002.1327142394.00000000030DA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	yoyf.exe	false		high
http://i.ibb.co	yoyf.exe, 00000000.00000002.1327142394.00000000030F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	yoyf.exe	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	yoyf.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	yoyf.exe	false		high
http://ocsp.sectigo.com0;	yoyf.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	yoyf.exe	false		high
https://i.ibb.co/ByQRHy3/126-Final.webpT	yoyf.exe, 00000000.00000002.1327142394.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i.ibb.co/ByQRHy3/126-Final.webpt	yoyf.exe, 00000000.00000002.1327142394.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i.ibb.cod	yoyf.exe, 00000000.00000002.1327142394.00000000030F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	yoyf.exe, 00000000.00000002.1327142394.00000000030DA000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.134.10.182	i.ibb.co	France		16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577489
Start date and time:	2024-12-18 14:14:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yoyf.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@1/1@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 35 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target yoyf.exe, PID 7352 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: yoyf.exe

Simulations

Behavior and APIs

Time	Type	Description
08:15:48	API Interceptor	21x Sleep call for process: yoyf.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
i.ibb.co	FINAL_PDF.exe	Get hash	malicious	Unknown	Browse	91.134.10.168
	Filezilla.exe	Get hash	malicious	Unknown	Browse	91.134.10.127
	cv.exe	Get hash	malicious	Unknown	Browse	91.134.10.168
	Filezilla-stage2.exe	Get hash	malicious	Unknown	Browse	91.134.10.168
	https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.au	Get hash	malicious	HTMLPhisher	Browse	91.134.82.79
	https://dsiete.co/share.html	Get hash	malicious	HTMLPhisher	Browse	91.134.9.160
	msedge.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	91.134.9.160
	https://citiscapegroupae-my.sharepoint.com/:li:/g/personal/asekhar_citiscapegroup_com/E9U24ACMrctKoLKfReMWVjMBfxodtw3c4oUIHo4oyReVhg?e=SgIv5D&xsdata=MDV8MDJ8ZGVyZWsuZGVscG9ydEBvbnRoZWRvdC5jby56YXw5ZWEzNzFkNDdmNTM0YzE2Yjg5YTA4ZGQwZTAwZjY1OXwxMGRjN2M5NjU5NzY0NjAxODgyYzlhYzdjMjg3MGVjY3wxfDB8NjM4NjgyMTE5NTE1MDk3NDExfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=S3JqYzUxeUd4SmtWMEVWUzBMU3JUREpWTEJiN3VmeFVrY09ucElOZDRzaz0%3d	Get hash	malicious	HTMLPhisher	Browse	91.134.10.127
	Fatura931Pendente956.pdf761.msi	Get hash	malicious	Unknown	Browse	91.134.82.79
	https://trimmer.to:443/GWHMY	Get hash	malicious	HTMLPhisher	Browse	162.19.58.157

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	Lu4421.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	51.89.44.68
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	54.37.137.114
	YcxjdYUKIb.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	167.114.27.228
	KE2yNJdV55.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	LA0gY3d103.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	JnEZtj3vtN.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	uzI7DAON53.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	139.99.188.124
	4a5MWYOGVy.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	91.134.10.182
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	91.134.10.182
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	91.134.10.182
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	91.134.10.182
	cali.exe	Get hash	malicious	AgentTesla	Browse	91.134.10.182
	VJQyKuHEUe.exe	Get hash	malicious	Unknown	Browse	91.134.10.182
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	91.134.10.182
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	91.134.10.182
	nrGkqbCyKP.exe	Get hash	malicious	Unknown	Browse	91.134.10.182
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	91.134.10.182

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yoyf.exe.log

Download File

Process:	C:\Users\user\Desktop\yoyf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	5.361594852750487
Encrypted:	false
SSDEEP:	24:MLU84qpE4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:Mgv2HKlYHKh3owH8tHo6hAHKzeR
MD5:	D4BA6A88633E490E0B152485B7AF206C
SHA1:	87F1032510FA233CC2FA9B62745FADE94E8461CF
SHA-256:	7987C47DC9A18C34D39E334C97CBCEC0AA791A253A7B345AAB0FB61EDFF75F10
SHA-512:	F830889AD7DEAA84B7903F210891342B3879CB9A85392FA336DE69C7A21E02804276A60CDDF656B34B71876748215E13FEE4DE25FE95A97612833A76BD91CD00
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=n

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.080405319068242
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yoyf.exe
File size:	928'104 bytes
MD5:	e3dcc770ca9c865a719c2b1f1c5b174e
SHA1:	3690617064fbcccba9eacc76be2e00cd34bac830
SHA256:	7a41fa61102269baa65f7f762cf868c3c6a506fb58b590b6ae1352b864f2831e
SHA512:	c569ebd0b2286307ba5fd18deee905b550a4a84c19a54d0c4eb1a0f006acf7814cda0f44d8fb79c72e059e997fc49c2114cdfb698734b7570b967a5c8004b1b6
SSDEEP:	12288:bvsKwGRdLBBNNBqiLckdXZj8YNQDcodji13ywe4GOMvS5JfAu8G:bvs78RRNBqin7oYNCcoe3h9MeJ78G
TLSH:	B7154AC2134CFA81F73F5BB19154F8E583ABE9E688A1D64945C4A2DA37737807DE1883
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..].........."...P......*........... ........@.. .......................`.......w....`................................

File Icon


Icon Hash:	2d16c7896d6d3dbd

Static PE Info

General

Entrypoint:	0x4cf38e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5D1CD450 [Wed Jul 3 16:14:08 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcf338	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x12648	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe0200	0x2968
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcd394	0xcd400	2e5338a06f55319fbb8c2ba8ab843484	False	0.5655117615712546	data	6.047523824732202	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x12648	0x12800	c7c676a1ddf20daf6eeacdad67552d29	False	0.5803816511824325	data	5.834962376629586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe4000	0xc	0x200	8945ffd1ca4e36c43c96a8c4b5ec00ab	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xd0514	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536, 16 important colors	0.25670731707317074
RT_ICON	0xd0b7c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	0.353494623655914
RT_ICON	0xd0e64	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384, 16 important colors	0.4036885245901639
RT_ICON	0xd104c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	0.4831081081081081
RT_ICON	0xd1174	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 205 important colors	0.39072494669509594
RT_ICON	0xd201c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 136 important colors	0.40974729241877256
RT_ICON	0xd28c4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672, 100 important colors	0.3773041474654378
RT_ICON	0xd2f8c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 54 important colors	0.2774566473988439
RT_ICON	0xd34f4	0x4620	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.979556595365419
RT_ICON	0xd7b14	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.2254149377593361
RT_ICON	0xda0bc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.324812382739212
RT_ICON	0xdb164	0x9e8	Device independent bitmap graphic, 25 x 48 x 32, image size 2496	0.3592271293375394
RT_ICON	0xdbb4c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3723404255319149
RT_ICON	0xdbfb4	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	0.38353658536585367
RT_ICON	0xdc61c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	0.5483870967741935
RT_ICON	0xdc904	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	0.5608108108108109
RT_ICON	0xdca2c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.7388059701492538
RT_ICON	0xdd8d4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.8447653429602888
RT_ICON	0xde17c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.8229768786127167
RT_ICON	0xde6e4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.6637966804979253
RT_ICON	0xe0c8c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.6862101313320825
RT_ICON	0xe1d34	0x424	Device independent bitmap graphic, 16 x 30 x 32, image size 0	0.42547169811320756
RT_GROUP_ICON	0xe2158	0xbc	data	0.601063829787234
RT_GROUP_ICON	0xe2214	0x84	data	0.6590909090909091
RT_VERSION	0xe2298	0x3b0	data	0.375

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:15:49.850923061 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:49.850965023 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:49.851114035 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:49.863761902 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:49.863780022 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:51.275872946 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:51.275955915 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:51.321063995 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:51.321086884 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:51.321456909 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:51.368057966 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:51.563395977 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:51.611330986 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:51.978111029 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:51.978189945 CET	443	49699	91.134.10.182	192.168.2.7
Dec 18, 2024 14:15:51.978254080 CET	49699	443	192.168.2.7	91.134.10.182
Dec 18, 2024 14:15:51.990771055 CET	49699	443	192.168.2.7	91.134.10.182

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:15:49.694942951 CET	52107	53	192.168.2.7	1.1.1.1
Dec 18, 2024 14:15:49.833038092 CET	53	52107	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 14:15:49.694942951 CET	192.168.2.7	1.1.1.1	0x6d1b	Standard query (0)	i.ibb.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 14:15:49.833038092 CET	1.1.1.1	192.168.2.7	0x6d1b	No error (0)	i.ibb.co	91.134.10.182	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:15:49.833038092 CET	1.1.1.1	192.168.2.7	0x6d1b	No error (0)	i.ibb.co	91.134.9.159	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:15:49.833038092 CET	1.1.1.1	192.168.2.7	0x6d1b	No error (0)	i.ibb.co	91.134.9.160	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:15:49.833038092 CET	1.1.1.1	192.168.2.7	0x6d1b	No error (0)	i.ibb.co	91.134.10.127	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:15:49.833038092 CET	1.1.1.1	192.168.2.7	0x6d1b	No error (0)	i.ibb.co	91.134.10.168	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:15:49.833038092 CET	1.1.1.1	192.168.2.7	0x6d1b	No error (0)	i.ibb.co	91.134.82.79	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

i.ibb.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	91.134.10.182	443	7352	C:\Users\user\Desktop\yoyf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:15:51 UTC	80	OUT	GET /ByQRHy3/126-Final.webp HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive
2024-12-18 13:15:51 UTC	144	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 18 Dec 2024 13:15:51 GMT Content-Type: image/png Content-Length: 1031 Connection: close
2024-12-18 13:15:51 UTC	1031	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 b4 00 00 00 b4 04 03 00 00 00 cf e3 1b 01 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 30 50 4c 54 45 26 a9 e2 ff ff ff df fc ff 26 bd f2 26 a9 e9 9c f0 ff df d8 e9 51 aa e3 ff f1 f3 ff e3 ec be fa ff be ca e5 51 d0 f8 9c bb e3 77 ad e3 77 e0 fc 4a 4b 7f 56 00 00 03 75 49 44 41 54 68 de ed 98 3f 6b db 40 14 c0 0f 4e a3 c0 bc 40 c5 b9 c2 86 f3 1a 5a 90 a1 14 02 a5 5d b4 88 40 70 3f 81 a0 43 a0 43 11 6d c6 4c 5d 3c a4 2d da 32 5f c7 4e 6e 3f 40 8b 32 66 d2 37 88 3e 40 28 c8 1f a0 f4 bd 93 1c d4 60 2b b2 89 a0 2d ef 47 a4 e8 df fd 74 7a 7a 77 d6 9d 10 0c c3 30 0c c3 30 0c c3 30 0c c3 30 0c f3 6f 23 7f f6 a6 9e 42 bc ee 86 da 6b 39 db 91 00 d2 be d4 a1 Data Ascii: PNGIHDRgAMAasRGB0PLTE&&&QQwwJKVuIDATh?k@N@Z]@p?CCmL]<-2_Nn?@2f7>@(`+-Gtzzw0000o#Bk9

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: yoyf.exePID: 7352, Parent PID: 4056

General

Target ID:	0
Start time:	08:15:48
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\yoyf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yoyf.exe"
Imagebase:	0xb90000
File size:	928'104 bytes
MD5 hash:	E3DCC770CA9C865A719C2B1F1C5B174E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: yoyf.exePID: 7352, Parent PID: 4056COMMON

Executed Functions

Function 016E5998 Relevance: .9, Instructions: 911COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273cf0c74df841bd9691c30c5aa54d5718d60a919c1f9f9e78c5c6a6adbbf319
Instruction ID: b9a4460b918c31b4057dad1933419d2e0e041307c0edf56a86c0db92e64669ca
Opcode Fuzzy Hash: 273cf0c74df841bd9691c30c5aa54d5718d60a919c1f9f9e78c5c6a6adbbf319
Instruction Fuzzy Hash: 85826B34A02205DFDB25CF68C988AAEBBF2FF88314F158659E4069B3A5D731ED41CB50

Function 016E4CC4 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9e13acfd90cbe943ef8e749379b04022787a51025a0904ad60c99a1a56ae2e
Instruction ID: ce06d845ff240864ef6bc64d1789d0cb3a533a31eec9212cad21727f40028f3b
Opcode Fuzzy Hash: ed9e13acfd90cbe943ef8e749379b04022787a51025a0904ad60c99a1a56ae2e
Instruction Fuzzy Hash: 09128D74A002198FDB14DF69CC58BAEBBF6BF88304F148269E506DB395DB359D42CB90

Function 016E0C50 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e078d5093ff40474843ce2f17a63238d0c0dbd0c7649b9ee58d2a50539a804
Instruction ID: 5f9a346b33b3eccb6404509e8caa2005da03ac428069f183b7b745c4f7c3652a
Opcode Fuzzy Hash: 90e078d5093ff40474843ce2f17a63238d0c0dbd0c7649b9ee58d2a50539a804
Instruction Fuzzy Hash: 9922A134E01218CFEB25DFA4CD54B9DBBB6BB49301F1081A9E40AAB354DB35AD82DF51

Function 016E0C28 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0f5d0cf9b3b82700644fa9a98a85a97df2ae7ac6765ccb7a6a636560e652f8
Instruction ID: 625e24d28536a485cb6773f6577eeedba164e3e58701ac25d3e9a97829ecf123
Opcode Fuzzy Hash: af0f5d0cf9b3b82700644fa9a98a85a97df2ae7ac6765ccb7a6a636560e652f8
Instruction Fuzzy Hash: DD22B234E01218CFEB25DFA4CD54B9DBBB2BB49301F1081A9E40AAB354DB35AD86DF51

Function 016E9AB8 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96059baf471672a7d00c090c00cfc84b97ac08b8cfa9d9e56eb38ab4ce29c2bb
Instruction ID: cd8856f9d5ebeaef90ad8f472a37d3a34c3c5c402542715277de50d16c99cfbc
Opcode Fuzzy Hash: 96059baf471672a7d00c090c00cfc84b97ac08b8cfa9d9e56eb38ab4ce29c2bb
Instruction Fuzzy Hash: DAD17031B012148BDB28AF799C5867E7AE7AFC4705B14866EE407D7388DF34DC128B95

Function 016E543C Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84127021fc421d120d67445080aaec6cb506930abd8c9f30786b4a327943908d
Instruction ID: 1c686ecd4cb7022dc1cdea0049de5cfd9bf6da47808bafde7fb8e8fa05c4c9e4
Opcode Fuzzy Hash: 84127021fc421d120d67445080aaec6cb506930abd8c9f30786b4a327943908d
Instruction Fuzzy Hash: A6E15E38A01215CFDB14CF68CD88AAEBBF6BF48308F558259E906AB365D730E951CF50

Function 016EA58D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c7afddba378f30987a6869c51ec909a9c13da655bb2d06c5bd1689dd6e23e1
Instruction ID: a2ccd6459b27b71720a55a3020acd484098c8e45cc8a17fca955393c2eac0fc6
Opcode Fuzzy Hash: c9c7afddba378f30987a6869c51ec909a9c13da655bb2d06c5bd1689dd6e23e1
Instruction Fuzzy Hash: A501E870D0620D8FDB20DFE1DD586ADBBF1AB8A301F20A55AD812B7244DB349A46CF55

Function 016E4300 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0355b000c39dabc08dc55e3c6c4cd3edf00318d2d8caa17e6a540d2d3e0c54
Instruction ID: 124999e9103d714a5fbef4162ff81f5c87c4bf83cf4e4a9cd5ea467b5d333251
Opcode Fuzzy Hash: fd0355b000c39dabc08dc55e3c6c4cd3edf00318d2d8caa17e6a540d2d3e0c54
Instruction Fuzzy Hash: D1E1A930B012159FDB15AF78CC58B7E7BEAAB88251F148629E506CB395CF34DC52CB91

Function 016E6730 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de861d8a0200bd4ed94ccc5ac2bcbc64d9a9b9119ef6664d7894b8e386287cfe
Instruction ID: 1001d658bce15c1ebef254c9e2f52b9ce63e43987786331b96eead1f9f569457
Opcode Fuzzy Hash: de861d8a0200bd4ed94ccc5ac2bcbc64d9a9b9119ef6664d7894b8e386287cfe
Instruction Fuzzy Hash: 5BE11871E012149FCB15CF6CC9889ADBBF6BF98310F1A8599E515AB361D731EC41CB60

Function 016E5995 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfc39fdb52135eaabbcf1d61fac2d62865391e9c03d04119da77d4f795d180a
Instruction ID: 2e4ce57e0349988b96a72c6ff38a0a868bf18bb41c61e73c4beadc0ec9b2880b
Opcode Fuzzy Hash: 8bfc39fdb52135eaabbcf1d61fac2d62865391e9c03d04119da77d4f795d180a
Instruction Fuzzy Hash: 86C16B34A012099FCB25CF69C888A9EBBF6BF48318F148659E906EB361D731ED41CF50

Function 016E8228 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed715b8eb230a2235eeac62763b73c13f837271f76567f558725c8d982582a7a
Instruction ID: 1dfe904b6acb00436e4358c08bbb3de5344c5a61d56422daf1212cdb2b24f9f3
Opcode Fuzzy Hash: ed715b8eb230a2235eeac62763b73c13f837271f76567f558725c8d982582a7a
Instruction Fuzzy Hash: C1913834702645CFDB25CF68CD98A6D7BEAEF49610B1941A9EA02CB3B1CB74DC41CB90

Function 016E4A38 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485dd0ae280c6bb66ba441bddaa68e4cd67540f91dddbac045ce0c2dc63fdf7a
Instruction ID: 64b9212355bfe1d61ba9978125564c594e8f9b61e47f12d77210e6f34c529570
Opcode Fuzzy Hash: 485dd0ae280c6bb66ba441bddaa68e4cd67540f91dddbac045ce0c2dc63fdf7a
Instruction Fuzzy Hash: 8B615B34A01505CFDB14CF7DCC88A6ABBF2BF88615B158669D902EB365DF31E842CB54

Function 016E6510 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f4a971457fd48b32e347e91872f23dc160948150e18c113633d5ee57d47757
Instruction ID: 38e27322b2856b871626fa1dcafe3650bdd300f4ac818bfe714e3c2b9ad1c22a
Opcode Fuzzy Hash: 26f4a971457fd48b32e347e91872f23dc160948150e18c113633d5ee57d47757
Instruction Fuzzy Hash: 0541DF317052548FCB159F78DC586AD7FF6AFC9210F1442AED506DB3A6DA319C02CB51

Function 016E52F0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5206b03f3e6c657565cbc70ec021925f753434530ed00bfba2f944221d4ded1
Instruction ID: 17c62ba1ff0f8be5e608cacb9339df9ea608b5eac6bcca67c9e0ed0f33bf1cc9
Opcode Fuzzy Hash: a5206b03f3e6c657565cbc70ec021925f753434530ed00bfba2f944221d4ded1
Instruction Fuzzy Hash: 7941C335A01208DFCB158F68DC08BAEBBF6EB44308F04816AE856DB351EB75DD55CB91

Function 016EA6C0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db4e86f464bd3d7131dc414feaac966d74705b48fae57802439100ef328445e
Instruction ID: 725dcfe58b572d5a40be565aeba56103cf0637dc30a11be17d022bd62a785ac4
Opcode Fuzzy Hash: 5db4e86f464bd3d7131dc414feaac966d74705b48fae57802439100ef328445e
Instruction Fuzzy Hash: D331E134A052049FDB14DBB89C586AEBFF6EF85201F1481BAD006DB355DA389D0AD762

Function 016E36B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6797e917954c3cf75b9bd05f5182b6e73868528071e832b78e43a5fd7f7748fa
Instruction ID: a733dd451e76eb5ea65bff93ed801829fe65c07e41d97e7df76503847ffa0303
Opcode Fuzzy Hash: 6797e917954c3cf75b9bd05f5182b6e73868528071e832b78e43a5fd7f7748fa
Instruction Fuzzy Hash: FF316D7560110A9FDF06AFA8DC48AAE3BE6FB88711F008128F9059B354CB35CC22DB95

Function 016E8528 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19df21d16ab9576d0d57aebe2335ee00a6bd6c3ca91e79ac8b43034673ca9ba8
Instruction ID: 931ee0449592ab4eb80fe238209bf05d28846cae4a59af57ee1e22488e016c9f
Opcode Fuzzy Hash: 19df21d16ab9576d0d57aebe2335ee00a6bd6c3ca91e79ac8b43034673ca9ba8
Instruction Fuzzy Hash: 7D21F3317063114FDB265B3D9D6C2392BDFAFC6210B1442AAD502CB3AEDF29CC429B81

Function 016E1E2C Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c3d0aea179b5b05d97c4d7a39a090ce87cee2c82181cf85f9b5339f3eccc96
Instruction ID: 8bb2c0190cc0dc3510a20a809e837b246d0948794e87c70d55009b7e94f02530
Opcode Fuzzy Hash: f4c3d0aea179b5b05d97c4d7a39a090ce87cee2c82181cf85f9b5339f3eccc96
Instruction Fuzzy Hash: 7A3145B0D012489FDB14DFAAC984BDEBFF5AF48310F248519E909AB360CB349942DF90

Function 016E8538 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c44dfb56d3ab2669046c811ddf6461f582f32d02336548dd8cf58aed872538
Instruction ID: ea524bbc70eb04e123b10eb2ff5c57681229784200283f26967aacab4411f04a
Opcode Fuzzy Hash: 50c44dfb56d3ab2669046c811ddf6461f582f32d02336548dd8cf58aed872538
Instruction Fuzzy Hash: 7821B3303012114BEB366A2E9C5873E66CFAFC5614F144279D502CB39DEF69CC829B84

Function 016E671F Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be648c7b0c8edfaca6720e16c1f67ec758b45b7085b35895e5588c4bbe4dea
Instruction ID: 062cf06d6d7e420e59d4a47932f21f02a9a129c66fbefa6d3c4c1a441248314b
Opcode Fuzzy Hash: c5be648c7b0c8edfaca6720e16c1f67ec758b45b7085b35895e5588c4bbe4dea
Instruction Fuzzy Hash: DB319270E002058FCB04CF68CC889AEBBF6FF95320B158659E5159B3A5C734DC01CBA0

Function 016E1E38 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c808409310cdf61444622ff1722aace725759ce52402213e02e359f2cb38f1d5
Instruction ID: e203be78460b527be654f80aaa8252cca890f11cff7613bc27c2455c7774eb2c
Opcode Fuzzy Hash: c808409310cdf61444622ff1722aace725759ce52402213e02e359f2cb38f1d5
Instruction Fuzzy Hash: 9B3115B0D012489FDB14DFAAC984BDEBFF5AF48310F248129E909AB350DB349941DFA0

Function 016E1518 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016f9fc79e4ae05df69c1ed9b863a688a3715bcc89d31f0bd5a2812a5b646105
Instruction ID: c38409051e04a41a7ce836a102d17ab3eda56ce4f058936c2123f52e523185c7
Opcode Fuzzy Hash: 016f9fc79e4ae05df69c1ed9b863a688a3715bcc89d31f0bd5a2812a5b646105
Instruction Fuzzy Hash: 5C31F2B5E012189FCB08CFA9D8805DDBBF6BF8A200F14852AD409BB354EB319902CF50

Function 016E4848 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5381aa558a081d8795825c3089507d30b02c6c60e27a38214c16f3fc26e53319
Instruction ID: ce567bec2e3dddfa6b623c54463ff4ece448865eb83e9b9acee8dc7113f9a83e
Opcode Fuzzy Hash: 5381aa558a081d8795825c3089507d30b02c6c60e27a38214c16f3fc26e53319
Instruction Fuzzy Hash: 0221F5347026518BD7299E7DDC5852BB7EBBF89611B16427ADA06DB394CF34DC02CB80

Function 016E36A9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b7290bd8993a3cf37e153a55346fca3fb92836d8d7c4dc9246c2b7e53e4525
Instruction ID: bd59d0371e83230a0f2558c7bb23d22e379914bdb54e86921d39fe167e5595ce
Opcode Fuzzy Hash: a0b7290bd8993a3cf37e153a55346fca3fb92836d8d7c4dc9246c2b7e53e4525
Instruction Fuzzy Hash: A921F275A062069FEF169F68DC4866A3BE6FB88321F04812DE9059B341D738CC16CB65

Function 016E58F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adfdb4629e5a0fab603da88aec9246e85fa3db18d32a248c07838184a626250
Instruction ID: 789c30a1abef4714312594f65a00c434bf9df2d99b18bcaf6b4823b17ca2c813
Opcode Fuzzy Hash: 5adfdb4629e5a0fab603da88aec9246e85fa3db18d32a248c07838184a626250
Instruction Fuzzy Hash: 25215E391026949FC706CF2DCC88A95BBE5AF47374B058752E96A8B3E5D331ED10CB90

Function 016E58E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d0f97597e2dcb0b9c5d204df93009ea99955429f28e5c3a5232717f51b6fef
Instruction ID: 969286b2aea54e27d484dfbf0502d617968f33e1dd7a9376297adfa727d394d5
Opcode Fuzzy Hash: 65d0f97597e2dcb0b9c5d204df93009ea99955429f28e5c3a5232717f51b6fef
Instruction Fuzzy Hash: E6214F796025909FC706CF2CCC88A90BBE5EF473787054756E96A8B3E5D330E951CB90

Function 016E6574 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48c4e9fb31040b7078d050adfc54c536a856bb905eaed75195ed961fe359eea
Instruction ID: 63822bce5382014e6031335e7f2e001ddf5249cb57f08d131514093776cb4900
Opcode Fuzzy Hash: e48c4e9fb31040b7078d050adfc54c536a856bb905eaed75195ed961fe359eea
Instruction Fuzzy Hash: 64114936B111149FDB149FA8DC58A9EBBFABB8C311F104129E916A7394CB31AC11CB90

Function 016E42F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b33e9d6d9fbec91e9ce71ee92a2a044fa1ce4a0c449927109fc61b6b8a5464
Instruction ID: e2fa8aea82f3a1e4a2513ae60a351361f6a67fdb84db36e533f991301edf53f6
Opcode Fuzzy Hash: f3b33e9d6d9fbec91e9ce71ee92a2a044fa1ce4a0c449927109fc61b6b8a5464
Instruction Fuzzy Hash: 6811B834A02215CFCB15DE39CC4C628BBF6BB84221F158269D90ACB345DF30E842CBA1

Function 016EC1AE Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84b99022d56528b9302825ef68771b6e600df246e2d0eb7f23acdffcb6deb36
Instruction ID: ed471612dde2ebd3e53fa604d3787bb734bf3d0abc94375e8da51b8fcb5362cc
Opcode Fuzzy Hash: b84b99022d56528b9302825ef68771b6e600df246e2d0eb7f23acdffcb6deb36
Instruction Fuzzy Hash: 04019275901305EFD760ABB8D8096AE7FF5EB89210F50862DE519E3300EB7499468B91

Function 0168D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326726780.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a01d588fdb36b8d75efb657cab970348a846fde8878d016470fbcadde5b6b87
Instruction ID: b70aca16105d1a9da03e4538d78fdc8811b1406912afeca443ffa07b8824cccd
Opcode Fuzzy Hash: 2a01d588fdb36b8d75efb657cab970348a846fde8878d016470fbcadde5b6b87
Instruction Fuzzy Hash: 3E0126311083849FE7207A55DCC4B76FFD8DF41235F08C22AED094A2C2C3389841CAB2

Function 0168D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326726780.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a747f75ebba14897a4c78f3045e22e081da2a425596506b53130b3bb420bc4e5
Instruction ID: 3f2bf87193267379c9a563ab39ffe43b39e6b7310746e55ff34e91d1ec465849
Opcode Fuzzy Hash: a747f75ebba14897a4c78f3045e22e081da2a425596506b53130b3bb420bc4e5
Instruction Fuzzy Hash: 47F096715043849EE7109A19DC84B62FFD8EB41734F18C55AED484B2C7C3799844CB71

Function 016E7F10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b92cf4b72170a82a4bcf27c2c0599fc1b510373a8c5139c89cc20dcd71142af
Instruction ID: b028d6deed9604ce1b913ff84a6baf1807b4d2453a2a09e5445a83c442be6510
Opcode Fuzzy Hash: 6b92cf4b72170a82a4bcf27c2c0599fc1b510373a8c5139c89cc20dcd71142af
Instruction Fuzzy Hash: 48E0DFB0C083C40FCB629774AC488443FB6A99244170146AAC4C0AF1ABCAA80C0AE752

Function 016EC1C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5739165345e9e8c5204374e80c04730aaa924886c11104f0d57f9f093b4558c
Instruction ID: f3af378b1ed4e73a3d27c6fd6e4664e93509319e94b7bf3948ad03eafaacdae9
Opcode Fuzzy Hash: c5739165345e9e8c5204374e80c04730aaa924886c11104f0d57f9f093b4558c
Instruction Fuzzy Hash: 2FE0ED70D0130ADFDB50EFB8C80939EBFF4AF08204F60856AD415E2240E77986458FD1

Function 016E6625 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65609aca08e0e5e280631992d09ef6d1df350b38e12db8adbcea31f51dcbbb18
Instruction ID: 6fb0812147957634ca1ffb284a29dc5fdef499f59dba6a182c1e0979a0a0f1aa
Opcode Fuzzy Hash: 65609aca08e0e5e280631992d09ef6d1df350b38e12db8adbcea31f51dcbbb18
Instruction Fuzzy Hash: 54D0673BB010189FCF149F98EC40DDDF7B6FB98221B44911AE915A3264C631A961DBA4

Function 016E7F20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326906263.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16e0000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1d20a62df05fda9d1ac2c04a4d0ad28a5823f284ce3add70760dec3e0dbf51
Instruction ID: a89642d0d7edd1b726b0dbab2cce1ffd5d5536d6b5006ac2e62a95a5bed325b7
Opcode Fuzzy Hash: 8c1d20a62df05fda9d1ac2c04a4d0ad28a5823f284ce3add70760dec3e0dbf51
Instruction Fuzzy Hash: 1AC012349103454BE661FBB1FC44915376AFAC0902740962094452F209DE7CBC0AE696

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yoyf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yoyf.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
yoyf.exe