Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OTRykEzo6o.exe

Overview

General Information

Sample name:OTRykEzo6o.exe
renamed because original name is a hash value
Original sample name:2dc4dc33dde889c46cde552a1d3647be.exe
Analysis ID:1581385
MD5:2dc4dc33dde889c46cde552a1d3647be
SHA1:a1b8e5889a9726232e68574b890aae6c228cc418
SHA256:dcadbac2c5d356b2a7ee58c091642c767a8d9a4d35dadeaa1ca924ef140c596a
Tags:exeuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • OTRykEzo6o.exe (PID: 1916 cmdline: "C:\Users\user\Desktop\OTRykEzo6o.exe" MD5: 2DC4DC33DDE889C46CDE552A1D3647BE)
    • cmd.exe (PID: 936 cmdline: "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5908 cmdline: sc delete "WinSvcs" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • reg.exe (PID: 2268 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: OTRykEzo6o.exeReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
Machine Learning detection for sample
Source: OTRykEzo6o.exeJoe Sandbox ML: detected
Source: OTRykEzo6o.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\OTRykEzo6o.exeCode function: 0_2_00007FFD348B0FD9 NtQuerySystemInformation,0_2_00007FFD348B0FD9
Source: OTRykEzo6o.exeStatic PE information: No import functions for PE file found
Source: OTRykEzo6o.exe, 00000000.00000000.2123630795.0000000000262000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenew-uninstaller.exe4 vs OTRykEzo6o.exe
Source: OTRykEzo6o.exeBinary or memory string: OriginalFilenamenew-uninstaller.exe4 vs OTRykEzo6o.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
Source: classification engineClassification label: mal56.winEXE@8/1@0/0
Source: C:\Users\user\Desktop\OTRykEzo6o.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OTRykEzo6o.exe.logJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: OTRykEzo6o.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OTRykEzo6o.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: OTRykEzo6o.exeReversingLabs: Detection: 34%
Source: unknownProcess created: C:\Users\user\Desktop\OTRykEzo6o.exe "C:\Users\user\Desktop\OTRykEzo6o.exe"
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc delete "WinSvcs"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc delete "WinSvcs" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /fJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
Source: OTRykEzo6o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: OTRykEzo6o.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: OTRykEzo6o.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\OTRykEzo6o.exeCode function: 0_2_00007FFD348B00BD pushad ; iretd 0_2_00007FFD348B00C1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc delete "WinSvcs"
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeMemory allocated: 1B280000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exe TID: 3428Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\OTRykEzo6o.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc delete "WinSvcs" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /fJump to behavior
Source: C:\Users\user\Desktop\OTRykEzo6o.exeQueries volume information: C:\Users\user\Desktop\OTRykEzo6o.exe VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		11
Process Injection		1
Modify Registry		LSASS Memory31
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Disable or Modify Tools		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
Virtualization/Sandbox Evasion		NTDS11
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Process Injection		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581385 Sample: OTRykEzo6o.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 56 20 Multi AV Scanner detection for submitted file 2->20 22 Machine Learning detection for sample 2->22 24 AI detected suspicious sample 2->24 7 OTRykEzo6o.exe 2 2->7         started        process3 file4 18 C:\Users\user\AppData\...\OTRykEzo6o.exe.log, CSV 7->18 dropped 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started        14 reg.exe 1 10->14         started        16 sc.exe 1 10->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OTRykEzo6o.exe34%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
OTRykEzo6o.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1581385
      Start date and time:2024-12-27 14:50:09 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 9s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:6
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:OTRykEzo6o.exe
      renamed because original name is a hash value
      Original Sample Name:2dc4dc33dde889c46cde552a1d3647be.exe
      Detection:MAL
      Classification:mal56.winEXE@8/1@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 7
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Stop behavior analysis, all processes terminated

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.246.63
      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: OTRykEzo6o.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-part-0035.t-0009.t-msedge.netwceaux.dll.dllGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      wp.batGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
      • 13.107.246.63
      RDb082EApV.exeGet hashmaliciousLummaCBrowse
      • 13.107.246.63
      GnHq2ZaBUl.exeGet hashmaliciousLummaCBrowse
      • 13.107.246.63
      EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      onaUtwpiyq.exeGet hashmaliciousLummaCBrowse
      • 13.107.246.63
      CAo57G5Cio.exeGet hashmaliciousLummaCBrowse
      • 13.107.246.63
      wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
      • 13.107.246.63
      qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      fp2e7a.wpc.phicdn.netctfmon.exeGet hashmaliciousUnknownBrowse
      • 192.229.221.95
      wce.exeGet hashmaliciousUnknownBrowse
      • 192.229.221.95
      atw3.dllGet hashmaliciousGozi, UrsnifBrowse
      • 192.229.221.95
      setup.msiGet hashmaliciousUnknownBrowse
      • 192.229.221.95
      ERTL09tA59.exeGet hashmaliciousLummaCBrowse
      • 192.229.221.95
      vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
      • 192.229.221.95
      V2s8yjvIJw.exeGet hashmaliciousIris StealerBrowse
      • 192.229.221.95
      k6olCJyvIj.exeGet hashmaliciousLummaCBrowse
      • 192.229.221.95
      G6xnfES308.exeGet hashmaliciousUnknownBrowse
      • 192.229.221.95
      XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
      • 192.229.221.95

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OTRykEzo6o.exe.log

      Download File
      Process:C:\Users\user\Desktop\OTRykEzo6o.exe
      File Type:CSV text
      Category:dropped
      Size (bytes):425
      Entropy (8bit):5.357964438493834
      Encrypted:false
      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
      MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
      SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
      SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
      SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
      Malicious:true
      Reputation:moderate, very likely benign file
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

      Static File Info

      General

      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
      Entropy (8bit):4.940309328516339
      TrID:
      • Win64 Executable GUI (202006/5) 91.78%
      • Win64 Executable (generic) (12005/4) 5.45%
      • Win16/32 Executable Delphi generic (2074/23) 0.94%
      • Generic Win/DOS Executable (2004/3) 0.91%
      • DOS Executable Generic (2002/1) 0.91%
      File name:OTRykEzo6o.exe
      File size:8'704 bytes
      MD5:2dc4dc33dde889c46cde552a1d3647be
      SHA1:a1b8e5889a9726232e68574b890aae6c228cc418
      SHA256:dcadbac2c5d356b2a7ee58c091642c767a8d9a4d35dadeaa1ca924ef140c596a
      SHA512:ad539d8271d6455294b438a67e29f021a81d2a450f0cf4b133abf846549391a23cb5137555d7ca9fac307bafa959a51cf7485e1a95b53e9f7a158915e4d30326
      SSDEEP:192:4UPhFusW6uvpQjY8Fb8p9/ijG/D9Hy5jKh+:rhEVpQZFop96IlyxKh+
      TLSH:9302E854F7EC8265E67F0F3829F2132647B0F6524627C7DF49C4918A1E25781CBA27E1
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....<lg.........."...................... .....@..... .......................`............@...@......@............... .....

      File Icon

      Icon Hash:00928e8e8686b000

      Static PE Info

      General

      Entrypoint:0x140000000
      Entrypoint Section:
      Digitally signed:false
      Imagebase:0x140000000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0x676C3CE0 [Wed Dec 25 17:12:00 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:

      Entrypoint Preview

      Instruction
      dec ebp
      pop edx
      nop
      add byte ptr [ebx], al
      add byte ptr [eax], al
      add byte ptr [eax+eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x498.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x18340x1a00d168ef3c13b8c5cd585761d586e7063bFalse0.5359074519230769data5.312819529419805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0x40000x4980x600d6d6de5465f2984d4eca4dcac3e54a0cFalse0.3548177083333333data3.400374757497896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_VERSION0x40a00x264data0.45098039215686275
      RT_MANIFEST0x43080x18dXML 1.0 document, Unicode text, UTF-8 (with BOM) text0.5818639798488665

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Dec 27, 2024 14:51:01.828541040 CET1.1.1.1192.168.2.60xb140No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
      Dec 27, 2024 14:51:01.828541040 CET1.1.1.1192.168.2.60xb140No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
      Dec 27, 2024 14:51:15.631614923 CET1.1.1.1192.168.2.60x4227No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
      Dec 27, 2024 14:51:15.631614923 CET1.1.1.1192.168.2.60x4227No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:08:51:04
      Start date:27/12/2024
      Path:C:\Users\user\Desktop\OTRykEzo6o.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\OTRykEzo6o.exe"
      Imagebase:0x260000
      File size:8'704 bytes
      MD5 hash:2DC4DC33DDE889C46CDE552A1D3647BE
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      General

      Target ID:2
      Start time:08:51:05
      Start date:27/12/2024
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
      Imagebase:0x7ff67d1c0000
      File size:289'792 bytes
      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:3
      Start time:08:51:05
      Start date:27/12/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff66e660000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:08:51:05
      Start date:27/12/2024
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:sc delete "WinSvcs"
      Imagebase:0x7ff74fcf0000
      File size:72'192 bytes
      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:5
      Start time:08:51:05
      Start date:27/12/2024
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
      Imagebase:0x7ff6af880000
      File size:77'312 bytes
      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:34.2%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:2%
        Total number of Nodes:150
        Total number of Limit Nodes:11
        execution_graph 1025 7ffd348b1428 1026 7ffd348b1431 DuplicateHandle 1025->1026 1028 7ffd348b151e 1026->1028 1066 7ffd348b0888 1067 7ffd348b088f 1066->1067 1068 7ffd348b0528 3 API calls 1067->1068 1069 7ffd348b08a3 1068->1069 1070 7ffd348b04e8 3 API calls 1069->1070 1071 7ffd348b08b9 1070->1071 1029 7ffd348b06a5 1030 7ffd348b06ad 1029->1030 1031 7ffd348b06cb DuplicateHandle 1030->1031 1034 7ffd348b0745 1030->1034 1033 7ffd348b151e 1031->1033 1035 7ffd348b0528 3 API calls 1034->1035 1036 7ffd348b08a3 1035->1036 1037 7ffd348b04e8 3 API calls 1036->1037 1038 7ffd348b08b9 1037->1038 1056 7ffd348b1555 1057 7ffd348b1563 1056->1057 1060 7ffd348b0738 1057->1060 1059 7ffd348b15a9 1061 7ffd348b0741 1060->1061 1062 7ffd348b0528 3 API calls 1061->1062 1063 7ffd348b08a3 1062->1063 1064 7ffd348b04e8 3 API calls 1063->1064 1065 7ffd348b08b9 1064->1065 1065->1059 903 7ffd348b16ac 904 7ffd348b16b5 CloseHandle 903->904 906 7ffd348b1754 904->906 907 7ffd348b09e9 908 7ffd348b0a37 907->908 915 7ffd348b0520 908->915 910 7ffd348b0c31 913 7ffd348b0c26 913->910 932 7ffd348b0530 913->932 949 7ffd348b04e8 913->949 966 7ffd348b0630 913->966 916 7ffd348b0525 915->916 917 7ffd348b11cc 916->917 918 7ffd348b1214 916->918 977 7ffd348b06f8 917->977 919 7ffd348b0708 DuplicateHandle 918->919 921 7ffd348b122d 919->921 922 7ffd348b0708 DuplicateHandle 921->922 927 7ffd348b1232 921->927 922->927 926 7ffd348b1306 926->913 928 7ffd348b1325 927->928 929 7ffd348b1283 927->929 931 7ffd348b1236 927->931 930 7ffd348b0630 3 API calls 928->930 985 7ffd348b1314 929->985 930->931 931->913 933 7ffd348b11c0 932->933 934 7ffd348b11cc 933->934 935 7ffd348b1214 933->935 937 7ffd348b06f8 DuplicateHandle 934->937 936 7ffd348b0708 DuplicateHandle 935->936 938 7ffd348b122d 936->938 940 7ffd348b120b 937->940 939 7ffd348b0708 DuplicateHandle 938->939 944 7ffd348b1232 938->944 939->944 941 7ffd348b0708 DuplicateHandle 940->941 941->944 942 7ffd348b1314 3 API calls 943 7ffd348b1306 942->943 943->913 945 7ffd348b1325 944->945 946 7ffd348b1283 944->946 948 7ffd348b1236 944->948 947 7ffd348b0630 3 API calls 945->947 946->942 947->948 948->913 950 7ffd348b04ed 949->950 951 7ffd348b11cc 950->951 952 7ffd348b1214 950->952 954 7ffd348b06f8 DuplicateHandle 951->954 953 7ffd348b0708 DuplicateHandle 952->953 955 7ffd348b122d 953->955 957 7ffd348b120b 954->957 956 7ffd348b0708 DuplicateHandle 955->956 961 7ffd348b1232 955->961 956->961 958 7ffd348b0708 DuplicateHandle 957->958 958->961 959 7ffd348b1314 3 API calls 960 7ffd348b1306 959->960 960->913 962 7ffd348b1325 961->962 963 7ffd348b1283 961->963 965 7ffd348b1236 961->965 964 7ffd348b0630 3 API calls 962->964 963->959 964->965 965->913 967 7ffd348b0639 966->967 968 7ffd348b0616 967->968 969 7ffd348b06cb DuplicateHandle 967->969 972 7ffd348b0745 967->972 971 7ffd348b151e 969->971 971->913 990 7ffd348b0528 972->990 974 7ffd348b08a3 975 7ffd348b04e8 2 API calls 974->975 976 7ffd348b08b9 975->976 976->913 978 7ffd348b0701 DuplicateHandle 977->978 980 7ffd348b120b 978->980 981 7ffd348b0708 980->981 982 7ffd348b0711 DuplicateHandle 981->982 984 7ffd348b151e 982->984 984->927 986 7ffd348b1320 985->986 989 7ffd348b1368 985->989 987 7ffd348b133c 986->987 988 7ffd348b0630 3 API calls 986->988 987->926 988->987 989->926 991 7ffd348b052d 990->991 992 7ffd348b11cc 991->992 993 7ffd348b1214 991->993 995 7ffd348b06f8 DuplicateHandle 992->995 994 7ffd348b0708 DuplicateHandle 993->994 996 7ffd348b122d 994->996 998 7ffd348b120b 995->998 997 7ffd348b0708 DuplicateHandle 996->997 1002 7ffd348b1232 996->1002 997->1002 999 7ffd348b0708 DuplicateHandle 998->999 999->1002 1000 7ffd348b1314 3 API calls 1001 7ffd348b1306 1000->1001 1001->974 1003 7ffd348b1325 1002->1003 1004 7ffd348b1283 1002->1004 1006 7ffd348b1236 1002->1006 1005 7ffd348b0630 3 API calls 1003->1005 1004->1000 1005->1006 1006->974 1007 7ffd348b0fd9 1008 7ffd348b0fef NtQuerySystemInformation 1007->1008 1010 7ffd348b1091 1008->1010 1072 7ffd348b0400 1073 7ffd348b0409 1072->1073 1074 7ffd348b11cc 1073->1074 1075 7ffd348b1214 1073->1075 1077 7ffd348b06f8 DuplicateHandle 1074->1077 1076 7ffd348b0708 DuplicateHandle 1075->1076 1078 7ffd348b122d 1076->1078 1080 7ffd348b120b 1077->1080 1079 7ffd348b0708 DuplicateHandle 1078->1079 1084 7ffd348b1232 1078->1084 1079->1084 1081 7ffd348b0708 DuplicateHandle 1080->1081 1081->1084 1082 7ffd348b1314 3 API calls 1083 7ffd348b1306 1082->1083 1085 7ffd348b1325 1084->1085 1086 7ffd348b1283 1084->1086 1088 7ffd348b1236 1084->1088 1087 7ffd348b0630 3 API calls 1085->1087 1086->1082 1087->1088 1011 7ffd348b0f64 1012 7ffd348b0f81 1011->1012 1015 7ffd348b06b0 1012->1015 1014 7ffd348b0fd0 1016 7ffd348b06b9 1015->1016 1017 7ffd348b0745 1016->1017 1018 7ffd348b06cb DuplicateHandle 1016->1018 1021 7ffd348b0528 3 API calls 1017->1021 1020 7ffd348b151e 1018->1020 1020->1014 1022 7ffd348b08a3 1021->1022 1023 7ffd348b04e8 3 API calls 1022->1023 1024 7ffd348b08b9 1023->1024 1024->1014

        Callgraph

        • Executed
        • Not Executed
        • Opacity -> Relevance
        • Disassembly available
        callgraph 0 Function_00007FFD348B06F8 1 Function_00007FFD348B037B 2 Function_00007FFD348B0070 3 Function_00007FFD348B0EF0 4 Function_00007FFD348B0E70 5 Function_00007FFD348B04E8 5->0 5->3 12 Function_00007FFD348B1314 5->12 15 Function_00007FFD348B0708 5->15 27 Function_00007FFD348B0630 5->27 6 Function_00007FFD348B196B 7 Function_00007FFD348B09E9 7->4 7->5 26 Function_00007FFD348B0530 7->26 7->27 38 Function_00007FFD348B0520 7->38 39 Function_00007FFD348B0620 7->39 8 Function_00007FFD348B195D 9 Function_00007FFD348B01E3 10 Function_00007FFD348B0F64 28 Function_00007FFD348B06B0 10->28 11 Function_00007FFD348B0118 12->27 13 Function_00007FFD348B0112 14 Function_00007FFD348B0192 16 Function_00007FFD348B0888 16->5 32 Function_00007FFD348B0528 16->32 17 Function_00007FFD348B1788 18 Function_00007FFD348B0605 19 Function_00007FFD348B098A 20 Function_00007FFD348B0400 20->0 20->3 20->12 20->15 20->27 21 Function_00007FFD348B0383 22 Function_00007FFD348B0102 23 Function_00007FFD348B0738 23->5 23->32 24 Function_00007FFD348B0535 25 Function_00007FFD348B10BC 26->0 26->3 26->12 26->15 26->27 27->5 27->32 28->5 28->32 29 Function_00007FFD348B012D 30 Function_00007FFD348B0EB1 31 Function_00007FFD348B15B1 32->0 32->3 32->12 32->15 32->27 33 Function_00007FFD348B1428 34 Function_00007FFD348B06A5 34->5 34->32 35 Function_00007FFD348B16AC 36 Function_00007FFD348B182C 37 Function_00007FFD348B09A9 38->0 38->3 38->12 38->15 38->27 40 Function_00007FFD348B11A0 40->0 40->3 40->12 40->15 40->27 41 Function_00007FFD348B1555 41->23 42 Function_00007FFD348B1856 43 Function_00007FFD348B0FD9 44 Function_00007FFD348B035A 45 Function_00007FFD348B014D 46 Function_00007FFD348B09C8 47 Function_00007FFD348B134A 48 Function_00007FFD348B00BD

        Executed Functions

        Function 00007FFD348B0FD9 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 320 7ffd348b0fd9-7ffd348b108f NtQuerySystemInformation 324 7ffd348b1097-7ffd348b10b4 320->324 325 7ffd348b1091 320->325 325->324
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2166155525.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ffd348b0000_OTRykEzo6o.jbxd
        Similarity
        • API ID: InformationQuerySystem
        • String ID:
        • API String ID: 3562636166-0
        • Opcode ID: f135bbb011cfcda9a28dfba27fd9eed64b70ca8323eeda22753b5e21f148210e
        • Instruction ID: 44919ca7d8936eb15f9951fd942bb49e7600276b285e13564a4708cd2d9be272
        • Opcode Fuzzy Hash: f135bbb011cfcda9a28dfba27fd9eed64b70ca8323eeda22753b5e21f148210e
        • Instruction Fuzzy Hash: 2F31C131A0CB4C4FDB19DB9C98596E9BBF1EB66311F04426FD049D3292DB64A816CB81
        Function 00007FFD348B06F8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 376COMMON
        Download Yara Rule

        Control-flow Graph

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2166155525.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ffd348b0000_OTRykEzo6o.jbxd
        Similarity
        • API ID:
        • String ID: 8[z4$M_^$M_^$3CM_^
        • API String ID: 0-2895658832
        • Opcode ID: 25e81fe6eeb48984488359af2ae7850812aa6065c9c1739abc70908b6f254bc0
        • Instruction ID: 1ff17432c26510c6a0b79b31af18e74b98e0e6b9418251371372a3ff9ed8593e
        • Opcode Fuzzy Hash: 25e81fe6eeb48984488359af2ae7850812aa6065c9c1739abc70908b6f254bc0
        • Instruction Fuzzy Hash: 0B916B71F0DA855FE759AB68886A6B87BE1FF53310F0442BED449C32D3DE68A805C781
        Function 00007FFD348B0630 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 411COMMON
        Download Yara Rule

        Control-flow Graph

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2166155525.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ffd348b0000_OTRykEzo6o.jbxd
        Similarity
        • API ID:
        • String ID: 3CM_^
        • API String ID: 0-3911827768
        • Opcode ID: 1c923517dea9f8c6d531456bc08af4c7b92492bb31de993dd317f2eb41430977
        • Instruction ID: 706255741e1679e9ecec558acb377f7dbda9af087af9d8ec89f9395593e3b83e
        • Opcode Fuzzy Hash: 1c923517dea9f8c6d531456bc08af4c7b92492bb31de993dd317f2eb41430977
        • Instruction Fuzzy Hash: 91B13631A0DA854FE755ABB888696B97BE1FF53310F0841BBD499C72D3CE6CA805C781
        Function 00007FFD348B06A5 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
        Download Yara Rule

        Control-flow Graph

        Memory Dump Source
        • Source File: 00000000.00000002.2166155525.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ffd348b0000_OTRykEzo6o.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 00b025b241a3bc30732452a661fb27ca41319d489c9f7466fd6dd9d7408a702c
        • Instruction ID: c88ae35ab7f339f61a244430f1b5b33c974f5e9ae8a0eee95a310782137412cf
        • Opcode Fuzzy Hash: 00b025b241a3bc30732452a661fb27ca41319d489c9f7466fd6dd9d7408a702c
        • Instruction Fuzzy Hash: 01411531A0CB488FEB189B5C98596F97BE0EF5A311F04427FD449D3292DF78A8468B81
        Function 00007FFD348B06B0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
        Download Yara Rule

        Control-flow Graph

        Memory Dump Source
        • Source File: 00000000.00000002.2166155525.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ffd348b0000_OTRykEzo6o.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5f3afb0d1b41232b2f826597ed39ccaab4a0ea04932d74eb7c8a18df4deb8112
        • Instruction ID: e8fece08b9e602f75fe4dcab3b01f43e1e8a6d47fa0481405cd3d7016fa7b0af
        • Opcode Fuzzy Hash: 5f3afb0d1b41232b2f826597ed39ccaab4a0ea04932d74eb7c8a18df4deb8112
        • Instruction Fuzzy Hash: 5941073190CB489FDB189B5C98456F97BE0EF5A311F04427FE449D3292DF74B8468B81
        Function 00007FFD348B1428 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 311 7ffd348b1428-7ffd348b142f 312 7ffd348b143a-7ffd348b14a7 311->312 313 7ffd348b1431-7ffd348b1439 311->313 316 7ffd348b14af-7ffd348b151c DuplicateHandle 312->316 313->312 317 7ffd348b151e 316->317 318 7ffd348b1524-7ffd348b1553 316->318 317->318
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2166155525.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ffd348b0000_OTRykEzo6o.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 20e88f8283458dfdb42918569dfc524e221a4a82c762960c66230debf2a66563
        • Instruction ID: 3c20ffb04316dd31b981f73dc571ab359e3f37a9e2b1e9057685331c4aca4d10
        • Opcode Fuzzy Hash: 20e88f8283458dfdb42918569dfc524e221a4a82c762960c66230debf2a66563
        • Instruction Fuzzy Hash: F541E43190CA488FDB18DF5C98466F9BBE1FB59321F04422EE449D3292DF74A8568BC1
        Function 00007FFD348B16AC Relevance: 1.4, APIs: 1, Instructions: 106COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 381 7ffd348b16ac-7ffd348b16b3 382 7ffd348b16b5-7ffd348b16bd 381->382 383 7ffd348b16be-7ffd348b1752 CloseHandle 381->383 382->383 387 7ffd348b175a-7ffd348b1781 383->387 388 7ffd348b1754 383->388 388->387
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2166155525.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ffd348b0000_OTRykEzo6o.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: cab61b83096da49305d3bc5f60c8c29672149e3afb387ad63caf98b6e1661ac1
        • Instruction ID: 1200711b30cf68a5eade70a17686defebdc1b5745e220afd29a3c0ff09f1285c
        • Opcode Fuzzy Hash: cab61b83096da49305d3bc5f60c8c29672149e3afb387ad63caf98b6e1661ac1
        • Instruction Fuzzy Hash: B431E431A0CA4C8FDB59DB6888467E9BBF0FB56320F04426FD049C3192CB74A856CB91