Edit tour

Windows Analysis Report
MEMZ-Clean.exe

Overview

General Information

Sample name:	MEMZ-Clean.exe
Analysis ID:	1671575
MD5:	df027834a1deae36a1641f6554291a2f
SHA1:	d3c5b5712dc83d1c3c55496a7f4305936411d2fb
SHA256:	ae0446c03013c95ee19e28feda0d4ee3d445ae5e8981cdb32cc77834c3afad85
Tags:	exeuser-FelloBoiYuuka
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MEMZ-Clean.exe (PID: 8072 cmdline: "C:\Users\user\Desktop\MEMZ-Clean.exe" MD5: DF027834A1DEAE36A1641F6554291A2F)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MEMZ-Clean.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: MEMZ-Clean.exe	Virustotal: Detection: 60%			Perma Link
Source: MEMZ-Clean.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

Code function: 0_2_008323F0 CryptAcquireContextW,ExitProcess,CryptGenRandom,

0_2_008323F0

Source: MEMZ-Clean.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: MEMZ-Clean.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=batch
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=best
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=bonzi
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=dank
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=facebook
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=g3t
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=half
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=how
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=internet
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=is
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=john
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=mcafee
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=minecraft
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=montage
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=my
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=skrillex
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=stanky
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=the
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=vinesauce
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=virus
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=virus.exe
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=virus.exehttp://google.co.ck/search?q=internet
Source: MEMZ-Clean.exe	String found in binary or memory: http://google.co.ck/search?q=what
Source: MEMZ-Clean.exe	String found in binary or memory: http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
Source: MEMZ-Clean.exe	String found in binary or memory: http://pcoptimizerpro.com
Source: MEMZ-Clean.exe	String found in binary or memory: http://play.clubpenguin.com
Source: MEMZ-Clean.exe	String found in binary or memory: http://softonic.com

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

Code function: 0_2_00831000 GetKeyState,GetKeyState,GetKeyState,RedrawWindow,GetDesktopWindow,GetWindowRect,RedrawWindow,EnumWindows,RedrawWindow,GetKeyState,GetKeyState,Sleep,GetKeyState,GetKeyState,GetKeyState,GetKeyState,Sleep,SendMessageW,

0_2_00831000

Source: MEMZ-Clean.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal56.winEXE@1/0@1/0

Source: MEMZ-Clean.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MEMZ-Clean.exe	Virustotal: Detection: 60%
Source: MEMZ-Clean.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

Window detected: Number of UI elements: 11

Source: MEMZ-Clean.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

Code function: 0_2_0083146B push ecx; mov dword ptr [esp], ebx

0_2_0083187D

Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Window / User API: threadDelayed 2245	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Window / User API: threadDelayed 1352	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Window / User API: threadDelayed 4694	Jump to behavior

Source: C:\Users\user\Desktop\MEMZ-Clean.exe TID: 8168

Thread sleep time: -46940s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Thread sleep count: Count: 2245 delay: -10	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Thread sleep count: Count: 1352 delay: -10	Jump to behavior
Source: C:\Users\user\Desktop\MEMZ-Clean.exe	Thread sleep count: Count: 4694 delay: -10	Jump to behavior

Source: C:\Users\user\Desktop\MEMZ-Clean.exe

API call chain: ExitProcess graph end node

graph_0-252

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	1 Input Capture	2 Virtualization/Sandbox Evasion	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MEMZ-Clean.exe	60%	Virustotal		Browse
MEMZ-Clean.exe	61%	ReversingLabs	Win32.Trojan.Zmem
MEMZ-Clean.exe	100%	Avira	TR/Zmem.bksjp

Name	IP	Active	Malicious	Reputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.221.38	true	false	high
pki-goog.l.google.com	192.178.49.195	true	false	high
c.pki.goog	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://google.co.ck/search?q=batch	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=facebook	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=montage	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=john	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=stanky	MEMZ-Clean.exe	false	high
http://play.clubpenguin.com	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=virus.exe	MEMZ-Clean.exe	false	high
http://softonic.com	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=the	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=best	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=mcafee	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=internet	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=virus	MEMZ-Clean.exe	false	high
http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=half	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=minecraft	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=g3t	MEMZ-Clean.exe	false	high
http://pcoptimizerpro.com	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=bonzi	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=what	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=dank	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=how	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=is	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=virus.exehttp://google.co.ck/search?q=internet	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=my	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=skrillex	MEMZ-Clean.exe	false	high
http://google.co.ck/search?q=vinesauce	MEMZ-Clean.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1671575
Start date and time:	2025-04-23 02:04:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MEMZ-Clean.exe
Detection:	MAL
Classification:	mal56.winEXE@1/0@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 150.171.28.254
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:06:41	API Interceptor	48563x Sleep call for process: MEMZ-Clean.exe modified

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.284064968257939
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MEMZ-Clean.exe
File size:	15'360 bytes
MD5:	df027834a1deae36a1641f6554291a2f
SHA1:	d3c5b5712dc83d1c3c55496a7f4305936411d2fb
SHA256:	ae0446c03013c95ee19e28feda0d4ee3d445ae5e8981cdb32cc77834c3afad85
SHA512:	f4c0685ecc2b4871cbea5fc0bd9615adb51fa018b1e55c6fba1b012fdc551b75d0a8086813deb007b9959f9aac890aa87c1aa390f708cf6582f0056ada736c7b
SSDEEP:	192:5SKETE4lwO9OALSnhOiMUrONpBfMgVy9DyhnGhnlIBfMTR9N7:tETE8F9OYEovf1QRIBEV9
TLSH:	B862855BFED76466EDA54D7024B2B63F8D257CA28C78CC0FE8804E576CD5CB6A012722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../.f...............%....."......k........0....@.................................7.....@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40146b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F02F8D [Sun Sep 22 14:54:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	45a290c211fb5cb4e33ea5c2443f4837

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 0000010Ch
call dword ptr [004061C0h]
mov dword ptr [00405000h], 00000000h
mov dword ptr [esp], 00000011h
call dword ptr [004061D4h]
push ecx
lea edx, dword ptr [ebp-74h]
mov dword ptr [esp+08h], edx
mov dword ptr [esp+04h], 0000005Ch
mov dword ptr [esp], eax
call dword ptr [004061D0h]
sub esp, 0Ch
lea eax, dword ptr [ebp-58h]
mov dword ptr [esp+34h], eax
movzx eax, byte ptr [ebp-59h]
mov dword ptr [esp+30h], eax
movzx eax, byte ptr [ebp-5Ah]
mov dword ptr [esp+2Ch], eax
movzx eax, byte ptr [ebp-5Bh]
mov dword ptr [esp+28h], eax
movzx eax, byte ptr [ebp-5Ch]
mov dword ptr [esp+24h], eax
movzx eax, byte ptr [ebp-5Dh]
mov dword ptr [esp+20h], eax
movzx eax, byte ptr [ebp-5Eh]
mov dword ptr [esp+1Ch], eax
movzx eax, byte ptr [ebp-5Fh]
mov dword ptr [esp+18h], eax
movzx eax, byte ptr [ebp-60h]
mov dword ptr [esp+14h], eax
mov eax, dword ptr [ebp-64h]
mov dword ptr [esp+10h], eax
mov eax, dword ptr [ebp-68h]
mov dword ptr [esp+0Ch], eax
mov eax, dword ptr [ebp-6Ch]
mov dword ptr [esp+08h], eax
mov eax, dword ptr [ebp-70h]
mov dword ptr [esp+04h], eax
mov eax, dword ptr [ebp-74h]
mov dword ptr [esp], eax
call dword ptr [004061CCh]
sub esp, 38h
mov dword ptr [00405004h], eax
mov dword ptr [ebp-000000A4h], 00000030h
mov dword ptr [ebp+00000000h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6000	0x828	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7000	0x204	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x61b4	0x114	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14e0	0x1600	21002354ff5b0196d920bc907b390970	False	0.4850852272727273	data	5.558653981049518	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x2c0	0x400	013bc9a7122c0757a8e7fb0e2334779f	False	0.25390625	Windows Precompiled iNF, version 0.1, InfStyle 1, src URL, at 0 "\001",, LanguageID 0	2.0345544686707315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4000	0xf1c	0x1000	dd01f4b41f1321bab9a24984b6641f6d	False	0.360107421875	data	4.8968855857643385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6000	0x828	0xa00	930c7a1318929a1c90b2679ccd0f3615	False	0.36171875	data	4.127541473274507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x7000	0x204	0x400	8b1b8807fd12041e797f97f4d1085ee2	False	0.486328125	data	3.9348161289428107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextW, CryptGenRandom
COMCTL32.DLL	InitCommonControls
GDI32.dll	BitBlt, CreateFontW, GetObjectW, GetStockObject, SelectObject, StretchBlt, TextOutW
KERNEL32.dll	CreateThread, ExitProcess, FormatMessageW, GetCurrentProcessId, GetCurrentThreadId, GetModuleHandleW, GlobalAlloc, GlobalFree, LocalAlloc, Sleep, lstrlenW
SHELL32.dll	ShellExecuteA
USER32.dll	AdjustWindowRect, BeginPaint, CallNextHookEx, CreateWindowExW, DefWindowProcW, DispatchMessageW, DrawIcon, EndPaint, EnumChildWindows, EnumWindows, GetCursorPos, GetDesktopWindow, GetKeyState, GetMessageW, GetSystemMetrics, GetWindowDC, GetWindowLongW, GetWindowRect, GetWindowThreadProcessId, IsDialogMessageW, LoadIconW, MessageBoxA, MessageBoxW, RedrawWindow, RegisterClassExW, SendInput, SendMessageTimeoutW, SendMessageW, SetCursorPos, SetWindowsHookExW, ShowWindow, TranslateMessage, UnhookWindowsHookEx, UpdateWindow
WINMM.DLL	PlaySoundA, waveOutOpen, waveOutPause, waveOutPrepareHeader, waveOutReset, waveOutWrite

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2025 02:05:45.620446920 CEST	56040	53	192.168.2.5	1.1.1.1
Apr 23, 2025 02:05:45.760752916 CEST	53	56040	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2025 02:05:45.620446920 CEST	192.168.2.5	1.1.1.1	0xde2d	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.38	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.21	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.22	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.37	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.26	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.25	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.36	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:44.367940903 CEST	1.1.1.1	192.168.2.5	0x8808	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.221.23	A (IP address)	IN (0x0001)	false
Apr 23, 2025 02:05:45.760752916 CEST	1.1.1.1	192.168.2.5	0xde2d	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2025 02:05:45.760752916 CEST	1.1.1.1	192.168.2.5	0xde2d	No error (0)	pki-goog.l.google.com		192.178.49.195	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• MEMZ-Clean.exe

Click to jump to process

Memory Usage

• MEMZ-Clean.exe

Click to jump to process

Target ID:	0
Start time:	20:05:47
Start date:	22/04/2025
Path:	C:\Users\user\Desktop\MEMZ-Clean.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MEMZ-Clean.exe"
Imagebase:	0x830000
File size:	15'360 bytes
MD5 hash:	DF027834A1DEAE36A1641F6554291A2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	36.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.9%
Total number of Nodes:	147
Total number of Limit Nodes:	3

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00831000 Relevance: 22.6, APIs: 15, Instructions: 104
keyboardsleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyState.USER32 ref: 00831015
GetKeyState.USER32 ref: 00831021
GetDesktopWindow.USER32 ref: 00831043
GetWindowRect.USER32 ref: 00831053
RedrawWindow.USER32(00000000), ref: 0083107A
EnumWindows.USER32 ref: 0083108E
RedrawWindow.USER32 ref: 008310B8
GetKeyState.USER32 ref: 008310C4
GetKeyState.USER32 ref: 008310D0
Sleep.KERNEL32 ref: 008310DF
GetKeyState.USER32 ref: 008310EF
GetKeyState.USER32 ref: 008310FB
GetKeyState.USER32 ref: 00831107
Sleep.KERNELBASE(762BC0D0), ref: 00831116
SendMessageW.USER32(762BC0D0), ref: 00831158

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: State$Window$RedrawSleep$DesktopEnumMessageRectSendWindows
String ID:
API String ID: 2632062852-0
Opcode ID: 9a7444a67e20152d2efd9d2cd30ae5a0dd26f8a390af998c4a0eefdfe99a158c
Instruction ID: a6246dad886ca0cb8fb8c0ab86abb630a6b2a14ab5ed12f4c39f98b68c771b23
Opcode Fuzzy Hash: 9a7444a67e20152d2efd9d2cd30ae5a0dd26f8a390af998c4a0eefdfe99a158c
Instruction Fuzzy Hash: F0410EB4408705AFEB14AF68C99876BBBE4FF84748F01C91CE8C487251D77988848FE2

Function 0083146B Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 229
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitCommonControls.COMCTL32 ref: 00831477
GetStockObject.GDI32 ref: 0083148E
GetObjectW.GDI32 ref: 008314A7
CreateFontW.GDI32 ref: 00831519
RegisterClassExW.USER32 ref: 0083159F
AdjustWindowRect.USER32 ref: 00831609
GetModuleHandleW.KERNEL32 ref: 00831619
CreateWindowExW.USER32 ref: 0083168B
GetWindowLongW.USER32 ref: 008316BC
CreateWindowExW.USER32 ref: 0083174A
SendMessageW.USER32 ref: 00831773
CreateThread.KERNELBASE ref: 008317A5
SendMessageW.USER32 ref: 008317D4
ShowWindow.USER32 ref: 008317ED
KiUserCallbackDispatcher.NTDLL(00833040), ref: 008317FD
CreateThread.KERNELBASE ref: 00831833
KiUserCallbackDispatcher.NTDLL ref: 0083185D
TranslateMessage.USER32 ref: 00831876
DispatchMessageW.USER32 ref: 00831880
IsDialogMessageW.USER32 ref: 00831890

Strings

0, xrefs: 00831527
MEMZ Clean Version - Payload Panel, xrefs: 00831674
BUTTON, xrefs: 0083173B
2, xrefs: 00831664
MEMZPanel, xrefs: 0083153B, 0083167C
2, xrefs: 0083165C
D+v, xrefs: 008317FD
0, xrefs: 008317C9

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: CreateMessageWindow$CallbackDispatcherObjectSendThreadUser$AdjustClassCommonControlsDialogDispatchFontHandleInitLongModuleRectRegisterShowStockTranslate
String ID: 0$0$2$2$BUTTON$MEMZ Clean Version - Payload Panel$MEMZPanel$D+v
API String ID: 372181788-1584942865
Opcode ID: 58fd8a9076fc08daceec25847521ef143b7025c2a2d5afd2d6b530ea58dbb22c
Instruction ID: d98ab499d392cd2dd2ea8bca7c06956bc92da24cfe5bbfd7fd24254115cda771
Opcode Fuzzy Hash: 58fd8a9076fc08daceec25847521ef143b7025c2a2d5afd2d6b530ea58dbb22c
Instruction Fuzzy Hash: 53C103B19093049FD700DFA9D99875EBFF0FB88304F00896DE4989B251E7B98588CF92

Function 00831191 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 008311D8

Strings

MEMZ, xrefs: 00831273
ENABLED, xrefs: 008312F3
DISABLED, xrefs: 00831301
This payload is considered semi-harmful.This means, it should be safe to use, but can still cause data loss or other things you might not want.If you have productive data on your system or signed in to online accounts, it is recommended to run this paylo, xrefs: 0083127B
Press CTRL+SHIFT+S to skip some time (makes some payloads faster), xrefs: 008313AD
4, xrefs: 0083126B
A, xrefs: 008313A5
Payloads are currently %1. Press SHIFT+ESC to toggle all payloads!, xrefs: 0083132F

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: ExitProcess
String ID: 4$A$DISABLED$ENABLED$MEMZ$Payloads are currently %1. Press SHIFT+ESC to toggle all payloads!$Press CTRL+SHIFT+S to skip some time (makes some payloads faster)$This payload is considered semi-harmful.This means, it should be safe to use, but can still cause data loss or other things you might not want.If you have productive data on your system or signed in to online accounts, it is recommended to run this paylo
API String ID: 621844428-349616585
Opcode ID: edf9adb19d218f72f685c680b229c17ff50a6b21716604374ad0a6afedb64cc8
Instruction ID: b32c6ecb30c9a428cba9d64bf5441e3a2d2e8d550e55561c473d8d36dfd52f4a
Opcode Fuzzy Hash: edf9adb19d218f72f685c680b229c17ff50a6b21716604374ad0a6afedb64cc8
Instruction Fuzzy Hash: 776134B09087049FCB04DF68D84879EBBF5FBC4714F10C92EE5988B251E37998588F82

Function 008318A8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 139
windowsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

waveOutOpen.WINMM ref: 008318F0
LocalAlloc.KERNELBASE ref: 00831908
waveOutPrepareHeader.WINMM(00833000,00833000), ref: 0083195C
SendMessageW.USER32 ref: 00831990
waveOutReset.WINMM(00000000), ref: 00831A19
waveOutWrite.WINMM ref: 00831A32
waveOutPause.WINMM ref: 00831A5B
SendMessageW.USER32 ref: 00831A81
Sleep.KERNEL32 ref: 00831A94
SendMessageW.USER32 ref: 00831ABB
Sleep.KERNELBASE ref: 00831AD3

Strings

, xrefs: 00831A20

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: wave$MessageSend$Sleep$AllocHeaderLocalOpenPausePrepareResetWrite
String ID:
API String ID: 2799926116-3916222277
Opcode ID: 15a470f84ddeef24644c65f308a61b0bf2753e1ea2d9149ea29bd245a5b1cb8c
Instruction ID: b3f337da81042c166e789296cec2b857dea06133bf1e3302bdedd661f9f0f191
Opcode Fuzzy Hash: 15a470f84ddeef24644c65f308a61b0bf2753e1ea2d9149ea29bd245a5b1cb8c
Instruction Fuzzy Hash: 67513AB09093099FDB009FA9C55C79EBFF0FF84704F41881DE894AB251D3B98848CB92

Function 00832084 Relevance: 7.6, APIs: 5, Instructions: 67
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 00832090
GetWindowDC.USER32 ref: 0083209C
GetWindowRect.USER32 ref: 008320B3
SendMessageW.USER32 ref: 008320F2
Sleep.KERNELBASE ref: 00832172

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: Window$DesktopMessageRectSendSleep
String ID:
API String ID: 2444003871-0
Opcode ID: 977feed272f83c1114404d512936527b88ad6c1d61b6f6e4142e2ada97faa52c
Instruction ID: 702824c6f5d45cf977bb516153909cfb7f15f4d54c4724934e0507a949e3ef06
Opcode Fuzzy Hash: 977feed272f83c1114404d512936527b88ad6c1d61b6f6e4142e2ada97faa52c
Instruction Fuzzy Hash: C931B2B09043059FCB04DF68D58869ABBF4FF88300F118959E889AB315E734E955CFA1

Function 00831FE4 Relevance: 3.0, APIs: 2, Instructions: 40
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32 ref: 00832015
Sleep.KERNELBASE ref: 00832078

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: MessageSendSleep
String ID:
API String ID: 1161321871-0
Opcode ID: e3264026b2eb7e1dcc7be6ee90f85098f2146b9ca1b0ec9090c3ecda4c843296
Instruction ID: 61e5753c96c746b65a84fc9906ccd5a5dfb4b329ef742de6203d03ce261ca3c1
Opcode Fuzzy Hash: e3264026b2eb7e1dcc7be6ee90f85098f2146b9ca1b0ec9090c3ecda4c843296
Instruction Fuzzy Hash: 401193B0508605DFDB08DF18C1987177BE0FB84308F118998DC898B25AD779D559CBD2

Non-executed Functions

Function 008323F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 00832426
ExitProcess.KERNEL32 ref: 0083243A
CryptGenRandom.ADVAPI32 ref: 00832457

Strings

@, xrefs: 008323FF

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: Crypt$AcquireContextExitProcessRandom
String ID: @
API String ID: 999881550-2766056989
Opcode ID: cd37b7c42e32561615260274856c9872e0141abada5d5a32936cb374e11de0f2
Instruction ID: 6e1f6885dc41f409fe1600aa062f745698bf49c143c508d6ec44f1777e6ce689
Opcode Fuzzy Hash: cd37b7c42e32561615260274856c9872e0141abada5d5a32936cb374e11de0f2
Instruction Fuzzy Hash: EFF0A4B0804705EFD700AF68D95931EBBF4FB80348F00C91DE9958B2A5E7BA9458CF96

Function 00831B84 Relevance: 10.6, APIs: 7, Instructions: 95
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00831BA4
GetSystemMetrics.USER32 ref: 00831BB9
GetCursorPos.USER32(762B4920), ref: 00831BC7
LoadIconW.USER32(00000002), ref: 00831BE3
DrawIcon.USER32 ref: 00831C0A

Part of subcall function 008323F0: CryptAcquireContextW.ADVAPI32 ref: 00832426
Part of subcall function 008323F0: ExitProcess.KERNEL32 ref: 0083243A

LoadIconW.USER32 ref: 00831C5B

Part of subcall function 008323F0: CryptGenRandom.ADVAPI32 ref: 00832457

DrawIcon.USER32 ref: 00831C90

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: Icon$CryptDrawLoadMetricsSystem$AcquireContextCursorExitProcessRandom
String ID:
API String ID: 1154174717-0
Opcode ID: 0ab4f50bf0a991ee95ee64105b8a3f9ea37c576b86fb496b96192cac70fbf150
Instruction ID: 0c4ceeed7c009b7835c079115942406333c770a462b8217bd4ce14b2fe687d1d
Opcode Fuzzy Hash: 0ab4f50bf0a991ee95ee64105b8a3f9ea37c576b86fb496b96192cac70fbf150
Instruction Fuzzy Hash: 3D315EB0905218AFDB00EFADD8446AEBBF5FF88310F01891DE88897351E7799850CB91

Function 00831DF8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 25
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00831DFF
SetWindowsHookExW.USER32 ref: 00831E20
MessageBoxW.USER32 ref: 00831E4A
UnhookWindowsHookEx.USER32 ref: 00831E56

Strings

lol, xrefs: 00831E33
Still using this computer?, xrefs: 00831E3B

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: HookWindows$CurrentMessageThreadUnhook
String ID: Still using this computer?$lol
API String ID: 329392933-3014242478
Opcode ID: 506811b1f22cc482b8312de89e2226e5c6298ffad642dfa67f58f4bb03058f80
Instruction ID: 34ddaa31ad3b91f52239a08e749dccf6fc79e86aee0e6affd46030d204571c96
Opcode Fuzzy Hash: 506811b1f22cc482b8312de89e2226e5c6298ffad642dfa67f58f4bb03058f80
Instruction Fuzzy Hash: F7F0B7B0108305AFD700AFA8D54861FBFF4FB84349F42C81CE59987251E7B894588F92

Function 00831EF4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
windowtimememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00831F0F
SendMessageTimeoutW.USER32 ref: 00831F4E
GlobalFree.KERNEL32 ref: 00831F96

Part of subcall function 0083246C: lstrlenW.KERNEL32(?,?,00000000,762BAE40,?,?,00831F5F), ref: 0083247B

SendMessageTimeoutW.USER32 ref: 00831F8E

Strings

d, xrefs: 00831F67

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: GlobalMessageSendTimeout$AllocFreelstrlen
String ID: d
API String ID: 2955749784-2564639436
Opcode ID: 7fab49539098659acc478fadf916d5ef2befb2d988f497e71720db04c83fddf7
Instruction ID: 34c2b1d65819ddfd0efd40b4886f329b92c6899d7d7c55e1335bcee2d87c8ea0
Opcode Fuzzy Hash: 7fab49539098659acc478fadf916d5ef2befb2d988f497e71720db04c83fddf7
Instruction Fuzzy Hash: E411A2B1408301AFE700AF69D98971BBFE4FF84754F01881DE5D88B291D3BA8558CBA2

Function 008322C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StretchBlt.GDI32 ref: 0083231A

Strings

2, xrefs: 00832307
, xrefs: 008322D5
2, xrefs: 0083230F

Memory Dump Source

Source File: 00000000.00000002.2581689425.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2581670188.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581710062.0000000000833000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581731275.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581753602.0000000000836000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2581773561.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_MEMZ-Clean.jbxd

Similarity

API ID: Stretch
String ID: $2$2
API String ID: 3460941471-912482728
Opcode ID: d8e330ecba1559fc65330fe871feaaca9562adbbbe82b26c0e3b1b864bfbb0f7
Instruction ID: dec7557a437299ea7c2a01f9a5b6505f602795397dfb49263862b3198e93ed2b
Opcode Fuzzy Hash: d8e330ecba1559fc65330fe871feaaca9562adbbbe82b26c0e3b1b864bfbb0f7
Instruction Fuzzy Hash: 831127B0808349DFDB04DF65D50428EBBF0FF84748F509958E89466354D3BA8955CF86

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MEMZ-Clean.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: MEMZ-Clean.exePID: 8072, Parent PID: 3084

General

File Activities

File Opened

File Read

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Windows Analysis Report
MEMZ-Clean.exe

Function 00831000 Relevance: 22.6, APIs: 15, Instructions: 104
keyboardsleepwindowCOMMON

Function 0083146B Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 229
windowthreadregistryCOMMON

Function 00831191 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 161
COMMON

Function 008318A8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 139
windowsleepmemoryCOMMON

Function 00832084 Relevance: 7.6, APIs: 5, Instructions: 67
sleepwindowCOMMON

Function 00831FE4 Relevance: 3.0, APIs: 2, Instructions: 40
sleepwindowCOMMON

Function 008323F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
encryptionCOMMON

Function 00831B84 Relevance: 10.6, APIs: 7, Instructions: 95
windowCOMMON

Function 00831DF8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 25
threadwindowCOMMON

Function 00831EF4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
windowtimememoryCOMMON

Function 008322C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
windowCOMMON