Edit tour

Windows Analysis Report
IMG_10503677.exe

Overview

General Information

Sample name:	IMG_10503677.exe
Analysis ID:	1587440
MD5:	bec6fbf31cafe1b9a1dfc31bf0cedcf8
SHA1:	8fe578a67e5fcecc32e6df8eefeeeca7318de05f
SHA256:	3f1b9a5120a45f7e6cd142b62f7b332c42637fe90bb5e7250f23f437a60c0c2d
Tags:	exeuser-cocaman
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

IMG_10503677.exe (PID: 5680 cmdline: "C:\Users\user\Desktop\IMG_10503677.exe" MD5: BEC6FBF31CAFE1B9A1DFC31BF0CEDCF8)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IMG_10503677.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: IMG_10503677.exe	ReversingLabs: Detection: 34%
Source: IMG_10503677.exe	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: IMG_10503677.exe

Joe Sandbox ML: detected

Source: IMG_10503677.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: IMG_10503677.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 5.253.86.15 5.253.86.15

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: oshi.at

Source: IMG_10503677.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: IMG_10503677.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: IMG_10503677.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: IMG_10503677.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: IMG_10503677.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: IMG_10503677.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: IMG_10503677.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: IMG_10503677.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003025000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003047000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.000000000306C000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.at
Source: IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003025000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003047000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.000000000306C000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.atd
Source: IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IMG_10503677.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: IMG_10503677.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: IMG_10503677.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/Sdfw
Source: IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/SdfwH
Source: IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003030000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.atD
Source: IMG_10503677.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: IMG_10503677.exe

Source: C:\Users\user\Desktop\IMG_10503677.exe

Code function: 0_2_015A3495

0_2_015A3495

Source: IMG_10503677.exe

Static PE information: invalid certificate

Source: IMG_10503677.exe, 00000000.00000000.1697168065.0000000000C60000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamereff.exe2 vs IMG_10503677.exe
Source: IMG_10503677.exe, 00000000.00000002.4153537791.000000000133E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs IMG_10503677.exe
Source: IMG_10503677.exe	Binary or memory string: OriginalFilenamereff.exe2 vs IMG_10503677.exe

Source: IMG_10503677.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\IMG_10503677.exe

Mutant created: NULL

Source: IMG_10503677.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IMG_10503677.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\IMG_10503677.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IMG_10503677.exe	ReversingLabs: Detection: 34%
Source: IMG_10503677.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IMG_10503677.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IMG_10503677.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe	Memory allocated: 15A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe	Window / User API: threadDelayed 1863			Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Window / User API: threadDelayed 7969			Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 732	Thread sleep count: 1863 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 4268	Thread sleep count: 7969 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98965s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98621s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98192s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95478s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -94734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -94625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -94516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -94406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe TID: 3604	Thread sleep time: -94297s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98965	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98621	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98372	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98192	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95732	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95478	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 94734	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 94625	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 94516	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 94406	Jump to behavior
Source: C:\Users\user\Desktop\IMG_10503677.exe	Thread delayed: delay time: 94297	Jump to behavior

Source: IMG_10503677.exe, 00000000.00000002.4153537791.0000000001404000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly

Source: C:\Users\user\Desktop\IMG_10503677.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe

Queries volume information: C:\Users\user\Desktop\IMG_10503677.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IMG_10503677.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IMG_10503677.exe	34%	ReversingLabs	ByteCode-MSIL.Infostealer.Tinba
IMG_10503677.exe	37%	Virustotal		Browse
IMG_10503677.exe	100%	Avira	HEUR/AGEN.1350963
IMG_10503677.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://oshi.at/SdfwH	0%	Avira URL Cloud	safe
http://oshi.atd	0%	Avira URL Cloud	safe
https://oshi.atD	0%	Avira URL Cloud	safe
https://oshi.at/Sdfw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oshi.at	5.253.86.15	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://oshi.atd	IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003025000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003047000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.000000000306C000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oshi.at	IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oshi.at/SdfwH	IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.000000000304C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://oshi.at	IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003025000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003047000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.000000000306C000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oshi.atD	IMG_10503677.exe, 00000000.00000002.4154250528.0000000003070000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003056000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000003030000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oshi.at/Sdfw	IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, IMG_10503677.exe, 00000000.00000002.4154250528.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.253.86.15	oshi.at	Cyprus		208046	HOSTSLICK-GERMANYNL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587440
Start date and time:	2025-01-10 11:38:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMG_10503677.exe
Detection:	MAL
Classification:	mal68.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 85% Number of executed functions: 38 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target IMG_10503677.exe, PID 5680 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:39:53	API Interceptor	11379958x Sleep call for process: IMG_10503677.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.253.86.15	Holiday#3021.exe	Get hash	malicious	Unknown	Browse
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse
	Ref#103052.exe	Get hash	malicious	Unknown	Browse
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse
	Ref#1550238.exe	Get hash	malicious	Unknown	Browse
	JuneOrder.exe	Get hash	malicious	AsyncRAT, Babadeda, PureLog Stealer, zgRAT	Browse
	TamenuV11.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshi.at	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#103052.exe	Get hash	malicious	XWorm	Browse	194.15.112.248
	Ref#103052.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	194.15.112.248
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#116670.exe	Get hash	malicious	MassLogger RAT	Browse	194.15.112.248

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTSLICK-GERMANYNL	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#103052.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref#1550238.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	an_api.exe	Get hash	malicious	Unknown	Browse	193.142.146.64
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	193.142.146.64

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.75730569213037
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IMG_10503677.exe
File size:	132'728 bytes
MD5:	bec6fbf31cafe1b9a1dfc31bf0cedcf8
SHA1:	8fe578a67e5fcecc32e6df8eefeeeca7318de05f
SHA256:	3f1b9a5120a45f7e6cd142b62f7b332c42637fe90bb5e7250f23f437a60c0c2d
SHA512:	2ca512f838c70069187608a00f8fa5ed6097f267e66a08ad9f5070524e49b16b22f5a7a85110f32649e9c62c403100f026e159c3899dac8d5bcef58ce0cda3a7
SSDEEP:	1536:c7HNE1u/vAka2JxU7bCuoQCNehDiIC/m8:yt+6Bq+n1KDpC/j
TLSH:	B6D3AA1DE3C0E4CFDD85767234A2261737656DD229AE9C039E62B2DC1EB12C279CB198
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................n.... ........@.. .......................@............`................................

File Icon


Icon Hash:	b04a484c4c4a4eb0

Static PE Info

General

Entrypoint:	0x40e26e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6780CFCB [Fri Jan 10 07:44:11 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	19/10/2023 10:33:01 19/10/2024 10:33:01
Subject Chain	CN=Helpfeel Inc, OU=\u958b\u767a\u90e8, O=Helpfeel Inc, STREET=110-16 Goshohachiman-cho, L="Kyoto-shi, Kamigyo-ku", S=Kyoto, C=JP, OID.1.3.6.1.4.1.311.60.2.1.3=JP, SERIALNUMBER=1300-01-068185, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	0D966BC363CD56690E80EE36566E3C7B
Thumbprint SHA-1:	A955D2CBD3F7D394053A3C5219A93AF13917EA0D
Thumbprint SHA-256:	2362CABC8423B1EE01F2DE0F40197E509F8FA6DCF631E687EDB44792B241E526
Serial:	138A5335DB02BAFDC71DC47A

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe218	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1d800	0x2e78	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc274	0xc400	1fdb29fbb7239e212c20e369d13ea081	False	0.5696747448979592	data	6.210702018587367	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x11000	0x11000	07ed9293ffb58f48ddbec434632dcf7f	False	0.056382123161764705	data	4.117220823261838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x22000	0xc	0x200	c6c1711d08a49951b549b8a17cf75daa	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x10130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.046492369572932686
RT_GROUP_ICON	0x20958	0x14	data	1.15
RT_VERSION	0x2096c	0x374	data	0.4230769230769231
RT_MANIFEST	0x20ce0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:39:54.119642019 CET	49732	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:39:54.119740963 CET	443	49732	5.253.86.15	192.168.2.4
Jan 10, 2025 11:39:54.119821072 CET	49732	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:39:54.136656046 CET	49732	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:39:54.136750937 CET	443	49732	5.253.86.15	192.168.2.4
Jan 10, 2025 11:40:36.913147926 CET	443	49732	5.253.86.15	192.168.2.4
Jan 10, 2025 11:40:36.913252115 CET	49732	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:40:36.922272921 CET	49732	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:40:36.922332048 CET	443	49732	5.253.86.15	192.168.2.4
Jan 10, 2025 11:40:36.933767080 CET	49739	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:40:36.933808088 CET	443	49739	5.253.86.15	192.168.2.4
Jan 10, 2025 11:40:36.933900118 CET	49739	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:40:36.934257030 CET	49739	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:40:36.934273958 CET	443	49739	5.253.86.15	192.168.2.4
Jan 10, 2025 11:41:19.645812988 CET	443	49739	5.253.86.15	192.168.2.4
Jan 10, 2025 11:41:19.645895958 CET	49739	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:19.646991014 CET	49739	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:19.647011995 CET	443	49739	5.253.86.15	192.168.2.4
Jan 10, 2025 11:41:24.672466040 CET	49970	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:24.672508955 CET	443	49970	5.253.86.15	192.168.2.4
Jan 10, 2025 11:41:24.672696114 CET	49970	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:24.673021078 CET	49970	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:24.673031092 CET	443	49970	5.253.86.15	192.168.2.4
Jan 10, 2025 11:41:50.141769886 CET	49970	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:50.142082930 CET	443	49970	5.253.86.15	192.168.2.4
Jan 10, 2025 11:41:50.142143965 CET	49970	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:55.156802893 CET	50007	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:55.156855106 CET	443	50007	5.253.86.15	192.168.2.4
Jan 10, 2025 11:41:55.157222033 CET	50007	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:55.157629013 CET	50007	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:41:55.157646894 CET	443	50007	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:03.827732086 CET	50007	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:03.871334076 CET	443	50007	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:08.845468044 CET	50008	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:08.845514059 CET	443	50008	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:08.851334095 CET	50008	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:08.851881027 CET	50008	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:08.851897001 CET	443	50008	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:13.421492100 CET	50008	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:13.463387966 CET	443	50008	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:16.546732903 CET	443	50007	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:16.546834946 CET	50007	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:18.439332962 CET	50009	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:18.439373016 CET	443	50009	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:18.439996004 CET	50009	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:18.443279982 CET	50009	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:18.443293095 CET	443	50009	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:30.405916929 CET	443	50008	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:30.411339998 CET	50008	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:35.140372038 CET	50009	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:35.183332920 CET	443	50009	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:39.841677904 CET	443	50009	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:39.841768026 CET	50009	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:40.157030106 CET	50010	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:40.157085896 CET	443	50010	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:40.157210112 CET	50010	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:40.157694101 CET	50010	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:40.157716036 CET	443	50010	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:47.940712929 CET	50010	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:47.983340979 CET	443	50010	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:52.953926086 CET	50011	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:52.953968048 CET	443	50011	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:52.954245090 CET	50011	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:52.954649925 CET	50011	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:52.954678059 CET	443	50011	5.253.86.15	192.168.2.4
Jan 10, 2025 11:42:57.407335997 CET	50011	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:42:57.451337099 CET	443	50011	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:01.544266939 CET	443	50010	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:01.544517040 CET	50010	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:02.438849926 CET	50012	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:02.438905954 CET	443	50012	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:02.438986063 CET	50012	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:02.443506002 CET	50012	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:02.443531036 CET	443	50012	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:09.928155899 CET	50012	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:09.971347094 CET	443	50012	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:14.437418938 CET	443	50011	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:14.437489986 CET	50011	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:14.937870979 CET	50013	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:14.937971115 CET	443	50013	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:14.938074112 CET	50013	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:14.938617945 CET	50013	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:14.938644886 CET	443	50013	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:23.825556993 CET	443	50012	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:23.825625896 CET	50012	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:39.015152931 CET	50013	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:39.015356064 CET	443	50013	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:39.015506983 CET	50013	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:44.032068014 CET	50014	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:44.032114983 CET	443	50014	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:44.032177925 CET	50014	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:44.032797098 CET	50014	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:44.032809973 CET	443	50014	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:44.265142918 CET	50014	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:44.311327934 CET	443	50014	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:49.283379078 CET	50015	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:49.283433914 CET	443	50015	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:49.283507109 CET	50015	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:49.283895969 CET	50015	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:49.283905983 CET	443	50015	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:51.595397949 CET	50015	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:51.639336109 CET	443	50015	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:56.610413074 CET	50016	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:56.610457897 CET	443	50016	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:56.610546112 CET	50016	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:56.611174107 CET	50016	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:56.611186981 CET	443	50016	5.253.86.15	192.168.2.4
Jan 10, 2025 11:43:59.285933018 CET	50016	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:43:59.331331968 CET	443	50016	5.253.86.15	192.168.2.4
Jan 10, 2025 11:44:04.296925068 CET	50017	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:44:04.297028065 CET	443	50017	5.253.86.15	192.168.2.4
Jan 10, 2025 11:44:04.297164917 CET	50017	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:44:04.297482967 CET	50017	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:44:04.297516108 CET	443	50017	5.253.86.15	192.168.2.4
Jan 10, 2025 11:44:05.420568943 CET	443	50014	5.253.86.15	192.168.2.4
Jan 10, 2025 11:44:05.420931101 CET	50014	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:44:10.654135942 CET	443	50015	5.253.86.15	192.168.2.4
Jan 10, 2025 11:44:10.654182911 CET	50015	443	192.168.2.4	5.253.86.15
Jan 10, 2025 11:44:17.968770981 CET	443	50016	5.253.86.15	192.168.2.4
Jan 10, 2025 11:44:17.969084024 CET	50016	443	192.168.2.4	5.253.86.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:39:54.078016043 CET	60008	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:39:54.107490063 CET	53	60008	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:39:54.078016043 CET	192.168.2.4	1.1.1.1	0x7d1	Standard query (0)	oshi.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:39:54.107490063 CET	1.1.1.1	192.168.2.4	0x7d1	No error (0)	oshi.at		5.253.86.15	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:39:54.107490063 CET	1.1.1.1	192.168.2.4	0x7d1	No error (0)	oshi.at		194.15.112.248	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: IMG_10503677.exePID: 5680, Parent PID: 2580

General

Target ID:	0
Start time:	05:39:52
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\IMG_10503677.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IMG_10503677.exe"
Imagebase:	0xc50000
File size:	132'728 bytes
MD5 hash:	BEC6FBF31CAFE1B9A1DFC31BF0CEDCF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: IMG_10503677.exePID: 5680, Parent PID: 2580COMMON

Executed Functions

Function 015A3495 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a047ae0319d628badcfb922c05370c58d361709012fcbff7746e60a26c581d
Instruction ID: d433bffeac5e95869b365c3f9666dbbebbb2dc9863b9dda3a6f05cea2705aa69
Opcode Fuzzy Hash: 84a047ae0319d628badcfb922c05370c58d361709012fcbff7746e60a26c581d
Instruction Fuzzy Hash: 1BD1F431A4520ACFCB81CF98D890AEEBBF1FF84318F958966D406AF251D734E946CB51

Function 015A5BDF Relevance: 9.0, Strings: 6, Instructions: 1455COMMON

Download Yara Rule

Strings

$^q, xrefs: 015A5C07
TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
4'^q, xrefs: 015A5C1B
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$jjjjjj$$^q$$^q$$^q
API String ID: 0-898372746
Opcode ID: 045a6e3d482daffc20d15a4ca97b6b2f31164268c4108725aebee08845244e04
Instruction ID: 9705b64e06c4f8df927df632efe3b4b1d3db34c519d23e8b757c4204f936c658
Opcode Fuzzy Hash: 045a6e3d482daffc20d15a4ca97b6b2f31164268c4108725aebee08845244e04
Instruction Fuzzy Hash: DCE2287A250114EFDB4A9F98D958D55BBB2FF4D32471A81D8F2099B232C732E861EF40

Function 015A5C9F Relevance: 7.7, Strings: 5, Instructions: 1443COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
TJcq, xrefs: 015A6122
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: TJcq$TJcq$jjjjjj$$^q$$^q
API String ID: 0-2499309246
Opcode ID: e913ea8f41e6ed8f67f857af50001f64c1d25198ac7ae68699645250997e35e3
Instruction ID: 8015fa076c1da29d31829ff5c1208d85670e8b7eae4faa1f012084031c8d2256
Opcode Fuzzy Hash: e913ea8f41e6ed8f67f857af50001f64c1d25198ac7ae68699645250997e35e3
Instruction Fuzzy Hash: F1E2187A250510EFDB4A9F98D958D55BBB2FF4D32471A81D8F2099B232C732E861EF40

Function 015A5C88 Relevance: 7.7, Strings: 5, Instructions: 1434COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
4'^q, xrefs: 015A5C1B
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$jjjjjj$$^q$$^q
API String ID: 0-1881681865
Opcode ID: e40c4381c04771d22898ed70f4e7f24f81de3c42dccdf55cbf44fcb61a2c2887
Instruction ID: 295f81c6fff48e869ec9c02322bbe1d971ee6875653e9d937dc68f76435e46d7
Opcode Fuzzy Hash: e40c4381c04771d22898ed70f4e7f24f81de3c42dccdf55cbf44fcb61a2c2887
Instruction Fuzzy Hash: DBE2187A250110EFDB4A9F98D958D55BBB2FF4D32471A81D8F2099B232C732E861EF40

Function 015A5C50 Relevance: 6.4, Strings: 4, Instructions: 1422COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: TJcq$jjjjjj$$^q$$^q
API String ID: 0-672324049
Opcode ID: 44cbd5dafabcc0f5189739d026c525694b90244cf4ecd59a48aa30c1fdf13b40
Instruction ID: 26b83085a52bee6ffbd5901ed2260ee0cfbd19a7d4c31f7c353816c1726e91d9
Opcode Fuzzy Hash: 44cbd5dafabcc0f5189739d026c525694b90244cf4ecd59a48aa30c1fdf13b40
Instruction Fuzzy Hash: 95D2187A250510EFDB4A9F98D958D55BBB2FF4D32471A81D8F2099B232C732E861EF40

Function 015A5B98 Relevance: 6.4, Strings: 4, Instructions: 1418COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: TJcq$jjjjjj$$^q$$^q
API String ID: 0-672324049
Opcode ID: ee8e6020407562152c973db3a07c159ec1eeec467a2681730934f433bfee5f33
Instruction ID: 220326c074398663ccc21b3aa7f0bcf22e6d3c27dd77394b3955bb432c4d3c1d
Opcode Fuzzy Hash: ee8e6020407562152c973db3a07c159ec1eeec467a2681730934f433bfee5f33
Instruction Fuzzy Hash: 45D2187A250110EFDB4A9F98D958D55BBB2FF4D32471A81D8F2099B232C732E861EF40

Function 015A5BCA Relevance: 6.4, Strings: 4, Instructions: 1413COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: TJcq$jjjjjj$$^q$$^q
API String ID: 0-672324049
Opcode ID: 26a7033ed43f54f47b0a93e2ceeb88141abe50a011928f6cc7b404481e2d5b65
Instruction ID: e64852c969f9c0a446c142474a024867c2b2e43b396b589d44a09379bc73bfc9
Opcode Fuzzy Hash: 26a7033ed43f54f47b0a93e2ceeb88141abe50a011928f6cc7b404481e2d5b65
Instruction Fuzzy Hash: 91D2187A250510EFDB4A9F98D958D55BBB2FF4D32471A81D8F2099B232C732E861EF40

Function 015A49F8 Relevance: 6.3, Strings: 5, Instructions: 7COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
TJcq, xrefs: 015A6122
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: TJcq$TJcq$jjjjjj$$^q$$^q
API String ID: 0-2499309246
Opcode ID: 51190127e898f4f2c8b9befa19432616fd00b359cace02d99488f9f1b782a980
Instruction ID: ed0c640c91c3e75e60ab34601b530f4daada291bd81bf561a234432470c1fc87
Opcode Fuzzy Hash: 51190127e898f4f2c8b9befa19432616fd00b359cace02d99488f9f1b782a980
Instruction Fuzzy Hash: 6BB0926181E281CE8B124A9884E1128BEA0AB62181759C8EA98854E48BD5A0C585D7A2

Function 015A4600 Relevance: 5.2, Strings: 4, Instructions: 201COMMON

Download Yara Rule

Strings

$^q, xrefs: 015A4875
$^q, xrefs: 015A4869
d%dq, xrefs: 015A47A5
d%dq, xrefs: 015A4713

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: d%dq$d%dq$$^q$$^q
API String ID: 0-141320698
Opcode ID: 7d51c9dcd4aa71bb01c94adaa6127174f2bf722275477a79fd17659cbbffcd80
Instruction ID: 97d4b7bda5b85802073587b609c6ffd933247a503e904975037b7b170e2becab
Opcode Fuzzy Hash: 7d51c9dcd4aa71bb01c94adaa6127174f2bf722275477a79fd17659cbbffcd80
Instruction Fuzzy Hash: DE613830784345CFD7189BB89860B2E7BE6BBC6700F69496AD506DF3E5DAB1CC428391

Function 015A2359 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

E, xrefs: 015A23E2

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 2050e4009eb6c81220f77e544b8248c8ca4e0f5e3960c24d37e3ba7fd3c63d2b
Instruction ID: 71ee9b129c5a1ab7347b29b215e1548e3edb7121ce61a02db76350eab8fcde14
Opcode Fuzzy Hash: 2050e4009eb6c81220f77e544b8248c8ca4e0f5e3960c24d37e3ba7fd3c63d2b
Instruction Fuzzy Hash: D531F57178C3419FEB618A3D98463AE7FE6FF92264FC4093BD882CE681E265D485C351

Function 015A19B0 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Te^q, xrefs: 015A19B0

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 712ac31de93465ce33c029398b402a75bc85b183d68f0a571a25ca3584ee761c
Instruction ID: 4f0f58b1fa7f03b4c21bb8ee01181381f092e580b85dc61635a06cd4fe37e3a0
Opcode Fuzzy Hash: 712ac31de93465ce33c029398b402a75bc85b183d68f0a571a25ca3584ee761c
Instruction Fuzzy Hash: 80311634B40615CFDB14DBA9D5A8BADBBF1BF88704F514469E916DF3A1CB709805CB80

Function 015A09D0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

tocq, xrefs: 015A0A0E

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: tocq
API String ID: 0-4013956356
Opcode ID: 48d03f388572cd92adbe85e671495d32180061d8540caa62ecdde06117f592a1
Instruction ID: fa241f0398d799790313bb5ec6de6224ce9bb2e1eec2447b2ac76e57233b8b3b
Opcode Fuzzy Hash: 48d03f388572cd92adbe85e671495d32180061d8540caa62ecdde06117f592a1
Instruction Fuzzy Hash: 5D216974B202048FC754AB78D468AAE7BF2FF88710F514469E506EB3A4DA749C01DBA1

Function 015A09E0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

tocq, xrefs: 015A0A0E

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: tocq
API String ID: 0-4013956356
Opcode ID: e91212d48bb52a8c33835dccdf49e5cfd5e09055ee1480a499989b731b481266
Instruction ID: d071cee7ff7c29c20838b0b3f105245264bdeb6dc597fc279e50da3b002430a6
Opcode Fuzzy Hash: e91212d48bb52a8c33835dccdf49e5cfd5e09055ee1480a499989b731b481266
Instruction Fuzzy Hash: 6E217974B102088FCB54AB78D568A6E7BF2BF8C210F514468E506EB3A4DF749C01DBA1

Function 015A1147 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d22879391b82a903869b21bd02f599c6ad6d032af4c2f48717291eff5d7672
Instruction ID: 1106c79b870c2b390bc1e58046e81d75fa059585546872623d565f90f0863791
Opcode Fuzzy Hash: 38d22879391b82a903869b21bd02f599c6ad6d032af4c2f48717291eff5d7672
Instruction Fuzzy Hash: E261FF30A84A068FDB16CF69D8947AE7BF2FF85300F94886AD506DF695DB34E841CB50

Function 015A2468 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5fb8c9fd9c2a586cf5cadce59f7e6d3a0603b8633c6e15c58288a36ab5eb00
Instruction ID: 2f65519e2e6235b633eeb44626a1e836f4eb15c922b5523094bbedea49cdfb7f
Opcode Fuzzy Hash: be5fb8c9fd9c2a586cf5cadce59f7e6d3a0603b8633c6e15c58288a36ab5eb00
Instruction Fuzzy Hash: E3518A30A44705CFD724CF69D45176ABBF1FB88310F848A2AC5878FB95E775E8898B81

Function 015A2040 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b775b05cfc9c26fa3b62cfcb27b2b94119772382f6e5e3b175ef179c1bfc3547
Instruction ID: 9e10abebbb224dd533ceec83653d024474355c0741dfd5587dba7018173ed02d
Opcode Fuzzy Hash: b775b05cfc9c26fa3b62cfcb27b2b94119772382f6e5e3b175ef179c1bfc3547
Instruction Fuzzy Hash: EC419F34B802099FDB58AB69842266E7BF7FBC4700F55C969C609CF254EE31D942CBD2

Function 015A1FD0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce3f6bf3153093e020487ed4818e45993cfb4df7e1446272d44e8c6e0c90141
Instruction ID: 105272a38877cb7fbd606314988df3ef6632b596991a542798bedca3a6c7b8b5
Opcode Fuzzy Hash: 1ce3f6bf3153093e020487ed4818e45993cfb4df7e1446272d44e8c6e0c90141
Instruction Fuzzy Hash: 0431B1347C82099FEB18DA28D42226E3BB3FB85300F95896AC705CF259DA31D946C792

Function 015A2030 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130f02a2968bdb8c778c60ad29d3eb227775f2d9c03132b6a244bfe06fc325f3
Instruction ID: fc12feefb17f474bb27f7d66b7bf8855149c0a966b0404151b35f715ce545f66
Opcode Fuzzy Hash: 130f02a2968bdb8c778c60ad29d3eb227775f2d9c03132b6a244bfe06fc325f3
Instruction Fuzzy Hash: F1318034B842099FE7589A24942266E3BF3FB85700F958969C605CF255DA31D942CB92

Function 015A0B18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d71b64c188c61abaa0f7948d034883c0ea3f92dbb4299e4adddb2db11ec99c
Instruction ID: 7a8a1565e90f68717647784c798cb9a561f85d7caa2e75be923880ef8201bfa8
Opcode Fuzzy Hash: 20d71b64c188c61abaa0f7948d034883c0ea3f92dbb4299e4adddb2db11ec99c
Instruction Fuzzy Hash: E931A030B102158FDB58AF68D4186BD77F2FBC8315B204129E50ADB3A0EE75AD468B91

Function 015A6AC6 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6405ddc499b95b4d8085762dfef98589dc833b42350fafd31b5f3569367b8c
Instruction ID: ae6266c2d1b7206f3625d6612f2969ee7312430725fd142f83dd9fe26e49c17f
Opcode Fuzzy Hash: 1d6405ddc499b95b4d8085762dfef98589dc833b42350fafd31b5f3569367b8c
Instruction Fuzzy Hash: FF3115B0D0025C9FDB14DFAAC590ADEBFF5BF48310F288429E949AB250DB749945CFA0

Function 015A6AD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b793e6c63341f8d75c68e8cfca5166e0e53f9e865a321789c981ef42fd57d2b0
Instruction ID: 57845c7437187a1c3df3044837711f0f757a1c0b92bad2141781daa3d3f1429d
Opcode Fuzzy Hash: b793e6c63341f8d75c68e8cfca5166e0e53f9e865a321789c981ef42fd57d2b0
Instruction Fuzzy Hash: 2A3133B0D0025C9FDB14CFAAC580ADEBFF5BF48310F288429E909AB250DB749945CFA0

Function 015A0F25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67bb728ae093c38028454c943d196c2af7594386086df1f2b7702bfc44e04c2
Instruction ID: c4e67952f6eb14a6863953f2b10e00e717280a1155dc950f83f17c4483b4132a
Opcode Fuzzy Hash: e67bb728ae093c38028454c943d196c2af7594386086df1f2b7702bfc44e04c2
Instruction Fuzzy Hash: A2214874A9020ACFCB46DFA8C49466DBBF6FF88204B508559E419EF369DB30D906CB51

Function 015A0F65 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1485cc81ca868d226357dc113ba50ad2e0d319d46a05ff2618938e14ac34ea15
Instruction ID: df7f9122a61f6169481360cbe4185a29aeb1e6450e965d0a096c12fe3b49b2ad
Opcode Fuzzy Hash: 1485cc81ca868d226357dc113ba50ad2e0d319d46a05ff2618938e14ac34ea15
Instruction Fuzzy Hash: 58210674A40206CFCB40DF78C8A85ADBBB2FF88315F509965E519AF3A9CB309906CB11

Function 015A103D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2765539db35416af80ee61c916f9e08ece73dff934c3925aaa72433747171fd
Instruction ID: 07143aec54a7ec46f425e7c66c2cf18a4218ed52f7310a50ced9c171d6baba98
Opcode Fuzzy Hash: a2765539db35416af80ee61c916f9e08ece73dff934c3925aaa72433747171fd
Instruction Fuzzy Hash: 67217174A042469FCB46DF78C8A45AEBBB2FF89204B0285AAD505DB366DB309D06CB51

Function 015A0B50 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fee3d9f5c7140870166c73214865992377f9bc8ff620735f8c73efb16f58c6
Instruction ID: 51a4a7fa72d2ce9ea67881f56d3242494db37d031c94b249be058ca5a67fb761
Opcode Fuzzy Hash: 48fee3d9f5c7140870166c73214865992377f9bc8ff620735f8c73efb16f58c6
Instruction Fuzzy Hash: 53218E307002158FDB59AB68E01826C73F3BBC931AB210528E50ADF3A4DE75AC468791

Function 015A1058 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b0f163a76063bbfe7fdee5517b403eb1ba6c180acc992bacc62425f0752561
Instruction ID: 0cfc8d9406ead4c972ad4f2abe13ee2599f9d07b5978619742667c727d563838
Opcode Fuzzy Hash: 50b0f163a76063bbfe7fdee5517b403eb1ba6c180acc992bacc62425f0752561
Instruction Fuzzy Hash: 7411B674A0020A9FCB44EFA8C85596EBBF2FF88304F518569D509AB369DB309D06CF51

Function 015A378E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c101701942d33189f817682f7395b63878b9a08e2b8ee88ea59952683969c33c
Instruction ID: 2b171bcf40460f23c59f6b2d1a17b14aed900922699671714235b3a5671716b1
Opcode Fuzzy Hash: c101701942d33189f817682f7395b63878b9a08e2b8ee88ea59952683969c33c
Instruction Fuzzy Hash: 49110A75A0110ADFDB50DF58D980AAEBBB2FF44308F618511E819EB255D730EE86CBA0

Function 015A1A59 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33accbf91f7dad683e3bf8547121d3ea943c0ee466f660b8bf38a43dd1d1fd53
Instruction ID: 51567abecbcff6d4384694db96cbb044be738388c48a8c56ece2e275c787b051
Opcode Fuzzy Hash: 33accbf91f7dad683e3bf8547121d3ea943c0ee466f660b8bf38a43dd1d1fd53
Instruction Fuzzy Hash: 77114834A80608CFEB14CF98D5A4BAC7BF1FB48310F510465E512AF395CAB09A44CB81

Function 015A2238 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90093bc370c7ed4ac7eeb1cc707f95c20f992b9ca0324031e6f4c5267f687f71
Instruction ID: 96434c29fd380864d60a267dcd666ca6d414fd26be6bda97117950f250ce5070
Opcode Fuzzy Hash: 90093bc370c7ed4ac7eeb1cc707f95c20f992b9ca0324031e6f4c5267f687f71
Instruction Fuzzy Hash: FD012830B442159FC3A087289815B7E7FE6FF89340FD4086AF81ADF3A5CA709C058351

Function 0154D785 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153854993.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188be5edc2bc35b28ef2cc16cf8f9538bb3ab297d17383e69a173f56768528a3
Instruction ID: 9ed39d8daf7cb6b7a2ac6cb5d3acb09ffd7fd5789354c2bb57062cf48689482f
Opcode Fuzzy Hash: 188be5edc2bc35b28ef2cc16cf8f9538bb3ab297d17383e69a173f56768528a3
Instruction Fuzzy Hash: 5401A7311083849BE711CB69CEC4B6BBFF8FF55728F18C82AED094E296C6799841C671

Function 015A2248 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ed4e1f093cb385489dea490307eebbfa175a3b80a00b2ffcb1a634ca90f825
Instruction ID: 133651ae035bb36a729ffbcb44b4fd2c12550bd8cf7860a077d15b914e5fdc2b
Opcode Fuzzy Hash: a6ed4e1f093cb385489dea490307eebbfa175a3b80a00b2ffcb1a634ca90f825
Instruction Fuzzy Hash: F401D1307441169BC3A49B5D9845B3E7AEAFF8D300FD44925F90ADF3A4DA70DC008351

Function 015A19DB Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57f694e56aa1d6e6a8e14f0aa5eb24efc96de07cda128b8fc3fe230f9d4ce94
Instruction ID: 3d9e00f8dc5db27e31c5228c800bbf833f85effa5b693d53d4376cc6966d0d26
Opcode Fuzzy Hash: f57f694e56aa1d6e6a8e14f0aa5eb24efc96de07cda128b8fc3fe230f9d4ce94
Instruction Fuzzy Hash: B9012870A80606DFDB158FA9C9A4B6DBBF6BF88304F510469E506DF3A5DBB49C01CB80

Function 0154D784 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153854993.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e20c58a11159d84290a2f4f24f720564250f3fd4595ca3e981ac87ca3d52926
Instruction ID: ae1fcf71a8efa580b8a2155adf2a9d080f7afc2473d5673ed19234f83db1db0a
Opcode Fuzzy Hash: 0e20c58a11159d84290a2f4f24f720564250f3fd4595ca3e981ac87ca3d52926
Instruction Fuzzy Hash: DBF062714043849AE7258F1ACDC8B66FFA8EB55628F18C45AED084E296C2799845CA71

Function 015A07DB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69831c68ef0cd07e747e37114a78e2fbada2b2db7165de5033484d30708d7c0d
Instruction ID: b0dc4aaf70ff48c09c0f836c958276254852d981a44e8eefefcbbade6e922cef
Opcode Fuzzy Hash: 69831c68ef0cd07e747e37114a78e2fbada2b2db7165de5033484d30708d7c0d
Instruction Fuzzy Hash: FBF0EDB286D3E08FC743AF3898A10D13FB4EC5321438A01E7E488CE1A3E124894DD7B6

Function 015A340E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4757f6e45991873ca520ee32ed3de2ba8eb4fefbc2b25e3fd4c669d78928e17
Instruction ID: 4529937d5e273766ebd0bf5416df9f4b106b8d9707e4b52f04f22303bda618bc
Opcode Fuzzy Hash: e4757f6e45991873ca520ee32ed3de2ba8eb4fefbc2b25e3fd4c669d78928e17
Instruction Fuzzy Hash: ACE092323002164FC7656669F8588BFBBD6FBC9218740493EE11E8F224EE20AC4A4790

Function 015A09B1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da4579eea6dbe40946cc51476495e5a5a0440db797d0415866e0f262a7a3d73
Instruction ID: 6da9738477cdad2ecc8449c6abc7777aaa5d9ab6d663737750e847e0787fb447
Opcode Fuzzy Hash: 7da4579eea6dbe40946cc51476495e5a5a0440db797d0415866e0f262a7a3d73
Instruction Fuzzy Hash: 0FC04C1401E3C42AD74707144C355A93F2AE8430193AE05C2A8C589553D01695194366

Function 015A33D3 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38cc66744c86be4cf79bbe53f4e70be0f6ae4468e62f392d7ab717e17bb31d8
Instruction ID: 892981af8a6891492f2b0a1869338f59c47ff4f62e36be4cf04b8879c634d462
Opcode Fuzzy Hash: f38cc66744c86be4cf79bbe53f4e70be0f6ae4468e62f392d7ab717e17bb31d8
Instruction Fuzzy Hash: D2C0123820020ACFCB12EF08F570A88B321EB84241B005122CA268312DDB306A6D9B41

Function 015A0850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2361cd81f662cd261bb5b83c1bac04185ed25d39630677f247a2046fa4b44f5b
Instruction ID: 26c034eb25a223cc6249e7574efcff7d05ddd27bd58bd71d45eafd671b13691c
Opcode Fuzzy Hash: 2361cd81f662cd261bb5b83c1bac04185ed25d39630677f247a2046fa4b44f5b
Instruction Fuzzy Hash: 2790443000030CCF030033C0300C0003F0CF000C003C00000F00C000003F0030000FC0

Non-executed Functions

Function 015A4A45 Relevance: 6.3, Strings: 5, Instructions: 6COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01
T, xrefs: 015A4A47

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: T$TJcq$jjjjjj$$^q$$^q
API String ID: 0-3815819399
Opcode ID: 85cbf97735a773c299ad15ec80f794bf79cbe9f6a63bd93607954486b3d63913
Instruction ID: fba6462c25a87c978b20bfc26b76ab1aecf57680cc0841805073b98d04cd128f
Opcode Fuzzy Hash: 85cbf97735a773c299ad15ec80f794bf79cbe9f6a63bd93607954486b3d63913
Instruction Fuzzy Hash: 9EB09270900205CF8F01CA0481E0428B3B1FB8160135980AEC0030E016C3B08987DB02

Function 015A4A8D Relevance: 5.0, Strings: 4, Instructions: 6COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: TJcq$jjjjjj$$^q$$^q
API String ID: 0-672324049
Opcode ID: 4dbf546d7c36a08cdf27b523243929a1d549c59407024e26851ed6a917e607a5
Instruction ID: ac1957a7995c54c4b77e6b5082d6d44a6606cc46eddb4fa8e7057d3c99b6e1b7
Opcode Fuzzy Hash: 4dbf546d7c36a08cdf27b523243929a1d549c59407024e26851ed6a917e607a5
Instruction Fuzzy Hash: 13B0922180E3C0CECB234E9585C01407F70AA62181309C1FBC4850E44BC1248586D732

Function 015A4A69 Relevance: 5.0, Strings: 4, Instructions: 5COMMON

Download Yara Rule

Strings

TJcq, xrefs: 015A4BD5
$^q, xrefs: 015A4C17
jjjjjj, xrefs: 015A4B5F
$^q, xrefs: 015A4C01

Memory Dump Source

Source File: 00000000.00000002.4154049995.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_IMG_10503677.jbxd

Similarity

API ID:
String ID: TJcq$jjjjjj$$^q$$^q
API String ID: 0-672324049
Opcode ID: 1000157de5b7fea1b888749b718d162399c006f687816757ca59887ac6cfb73a
Instruction ID: 058e0fcac52b3a18ee67e3e53ce61d1322b4d3b1ecdf976e8eeda369abad0664
Opcode Fuzzy Hash: 1000157de5b7fea1b888749b718d162399c006f687816757ca59887ac6cfb73a
Instruction Fuzzy Hash: 02B01130208000CACA008A8088A022C32A0BF8220AB3A88AAC00B0E202C3B0C882CB02

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMG_10503677.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: IMG_10503677.exePID: 5680, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
IMG_10503677.exe