Loading ...

Play interactive tourEdit tour

Analysis Report payload.exe

Overview

General Information

Sample Name:payload.exe
Analysis ID:433772
MD5:b06395f18df7aec3d7c00aa219594631
SHA1:83e8ebe8e706fe4fdb0220cac18094ca4caa0259
SHA256:1d9bccec9ebbe9e1b0947bdbb0a80c09e7277b2af65a4d25d64d99606d2a7b3a
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • payload.exe (PID: 2596 cmdline: 'C:\Users\user\Desktop\payload.exe' MD5: B06395F18DF7AEC3D7C00AA219594631)
    • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: payload.exeAvira: detected
Source: payload.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: payload.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: m.pdb*, q_Hi source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp
Source: Binary string: 0C:\Windows\System.pdbG>g source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp
Source: payload.exe, 00000001.00000002.1297195072.000000000053C000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs payload.exe
Source: payload.exe, 00000001.00000002.1296955099.0000000000104000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameShell.exe$ vs payload.exe
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs payload.exe
Source: payload.exeBinary or memory string: OriginalFilenameShell.exe$ vs payload.exe
Source: payload.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 1.0.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::.ctor()
Source: 1.0.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::Main(System.String[])
Source: 1.0.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::<Main>m__0(System.Object)
Source: 1.0.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::Shell()
Source: 1.0.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::CmdOutputDataHandler(System.Object,System.Diagnostics.DataReceivedEventArgs)
Source: payload.exe, Program.csSuspicious method names: System.Void Payload.Program::.ctor()
Source: payload.exe, Program.csSuspicious method names: System.Void Payload.Program::Main(System.String[])
Source: payload.exe, Program.csSuspicious method names: System.Void Payload.Program::<Main>m__0(System.Object)
Source: payload.exe, Program.csSuspicious method names: System.Void Payload.Program::Shell()
Source: payload.exe, Program.csSuspicious method names: System.Void Payload.Program::CmdOutputDataHandler(System.Object,System.Diagnostics.DataReceivedEventArgs)
Source: 1.2.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::.ctor()
Source: 1.2.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::Main(System.String[])
Source: 1.2.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::<Main>m__0(System.Object)
Source: 1.2.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::Shell()
Source: 1.2.payload.exe.100000.0.unpack, Program.csSuspicious method names: System.Void Payload.Program::CmdOutputDataHandler(System.Object,System.Diagnostics.DataReceivedEventArgs)
Source: classification engineClassification label: mal48.winEXE@2/1@0/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: payload.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payload.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\payload.exeFile read: C:\Users\user\Desktop\payload.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\payload.exe 'C:\Users\user\Desktop\payload.exe'
Source: C:\Users\user\Desktop\payload.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: payload.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: m.pdb*, q_Hi source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp
Source: Binary string: 0C:\Windows\System.pdbG>g source: payload.exe, 00000001.00000002.1299332423.000000001AC66000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 420000Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419891Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419781Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419672Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419562Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419453Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419344Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419234Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419125Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419016Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418906Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418797Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418687Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418578Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418469Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418359Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418250Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418141Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418031Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417922Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417812Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417703Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417594Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417484Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417375Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417266Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417156Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417047Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416937Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416828Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416719Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416609Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416500Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416391Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416281Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416172Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416062Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415953Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415843Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415734Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415625Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415516Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415406Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415297Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415187Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415078Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414969Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414859Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414750Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414641Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414531Jump to behavior
Source: C:\Users\user\Desktop\payload.exeWindow / User API: threadDelayed 6914Jump to behavior
Source: C:\Users\user\Desktop\payload.exeWindow / User API: threadDelayed 2913Jump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -23058430092136925s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -420000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419891s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419781s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419672s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419562s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419453s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419344s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419234s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419125s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -419016s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418906s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418797s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418687s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418578s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418469s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418359s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418250s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418141s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -418031s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417922s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417812s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417703s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417594s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417484s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417375s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417266s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417156s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -417047s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416937s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416828s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416719s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416609s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416391s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416281s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416172s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -416062s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415953s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415843s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415734s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415625s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415516s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415406s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415297s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415187s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -415078s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -414969s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -414859s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -414750s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -414641s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 6108Thread sleep time: -414531s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 420000Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419891Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419781Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419672Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419562Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419453Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419344Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419234Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419125Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 419016Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418906Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418797Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418687Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418578Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418469Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418359Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418250Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418141Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 418031Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417922Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417812Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417703Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417594Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417484Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417375Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417266Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417156Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 417047Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416937Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416828Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416719Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416609Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416500Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416391Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416281Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416172Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 416062Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415953Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415843Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415734Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415625Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415516Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415406Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415297Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415187Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 415078Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414969Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414859Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414750Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414641Jump to behavior
Source: C:\Users\user\Desktop\payload.exeThread delayed: delay time: 414531Jump to behavior
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: payload.exe, 00000001.00000002.1297256206.0000000000599000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: payload.exe, 00000001.00000002.1299398035.000000001AF70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\payload.exeMemory allocated: page read and write | page guardJump to behavior
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: payload.exe, 00000001.00000002.1297875771.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\payload.exeQueries volume information: C:\Users\user\Desktop\payload.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion21LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433772 Sample: payload.exe Startdate: 13/06/2021 Architecture: WINDOWS Score: 48 13 Antivirus / Scanner detection for submitted sample 2->13 6 payload.exe 3 2->6         started        process3 dnsIp4 11 172.31.2.89, 56 ATT-INTERNET4US Reserved 6->11 9 conhost.exe 6->9         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
payload.exe100%AviraHEUR/AGEN.1133230

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.payload.exe.100000.0.unpack100%AviraHEUR/AGEN.1133230Download File
1.0.payload.exe.100000.0.unpack100%AviraHEUR/AGEN.1133230Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
172.31.2.89
unknownReserved
7018ATT-INTERNET4USfalse

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:433772
Start date:13.06.2021
Start time:19:38:09
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:payload.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:44
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@2/1@0/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 6
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Execution Graph export aborted for target payload.exe, PID 2596 because it is empty
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
19:38:55API Interceptor3653x Sleep call for process: payload.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ATT-INTERNET4USpayload.exeGet hashmaliciousBrowse
  • 172.31.2.56
payload.exeGet hashmaliciousBrowse
  • 172.31.2.71
payload.exeGet hashmaliciousBrowse
  • 172.31.2.100
mssecsvr.exeGet hashmaliciousBrowse
  • 71.149.37.79
Docc.htmlGet hashmaliciousBrowse
  • 13.36.218.177
fL8BN6Qdsu.dllGet hashmaliciousBrowse
  • 13.32.16.68
#Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen.htmGet hashmaliciousBrowse
  • 13.36.218.177
mjzvlwauGet hashmaliciousBrowse
  • 13.171.225.162
MedMooc.exeGet hashmaliciousBrowse
  • 172.17.0.207
FAX.HTMLGet hashmaliciousBrowse
  • 13.36.218.177
K9pRfTme7J.exeGet hashmaliciousBrowse
  • 172.18.60.217
K9pRfTme7J.exeGet hashmaliciousBrowse
  • 172.18.60.217
project-a.exeGet hashmaliciousBrowse
  • 172.129.113.237
project-a.exeGet hashmaliciousBrowse
  • 172.129.113.237
OW73NJTujh.dllGet hashmaliciousBrowse
  • 12.96.42.215
S5.exeGet hashmaliciousBrowse
  • 12.176.148.42
_cro.exeGet hashmaliciousBrowse
  • 172.16.2.1
EKSkwdJJI7.exeGet hashmaliciousBrowse
  • 172.19.255.48
DA1wxOjE9C.exeGet hashmaliciousBrowse
  • 13.36.178.139
XPChvE6GQdGet hashmaliciousBrowse
  • 45.30.40.164

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv
Process:C:\Users\user\Desktop\payload.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):784
Entropy (8bit):4.821721066094882
Encrypted:false
SSDEEP:12:pqecNtxWvWlGxWVDroBitqecNtxWvWlGxWVDroBO:rcNtxHlG8VXTHcNtxHlG8VXv
MD5:C147D87539490FCE026C828437C09B01
SHA1:A921A72CCBED142579DE211DA005FB65AE713A07
SHA-256:12AE6114710970B7297DD8C52A0874FA455E11F96235FC38DD863A6174213629
SHA-512:D686D4EFA3C7D5CD152AB535B2EC95EEFE66D70A60A85C2E9A79202481879D67117B24254543E173BBA56461BD80098D49FABE0D107427D32D772903CF5080F4
Malicious:false
Reputation:low
Preview: System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.31.2.89:56.. at System.Net.Sockets.TcpClient..ctor(String hostname, Int32 port).. at Payload.Program.Shell().. at Payload.Program.<Main>m__0(Object e)System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.31.2.89:56.. at System.Net.Sockets.TcpClient..ctor(String hostname, Int32 port).. at Payload.Program.Shell().. at Payload.Program.<Main>m__0(Object e)

Static File Info

General

File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):3.742190561091188
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
  • Win32 Executable (generic) a (10002005/4) 49.78%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
  • Generic Win/DOS Executable (2004/3) 0.01%
  • DOS Executable Generic (2002/1) 0.01%
File name:payload.exe
File size:5120
MD5:b06395f18df7aec3d7c00aa219594631
SHA1:83e8ebe8e706fe4fdb0220cac18094ca4caa0259
SHA256:1d9bccec9ebbe9e1b0947bdbb0a80c09e7277b2af65a4d25d64d99606d2a7b3a
SHA512:76402a28a309311854efbd07589187a59bb90a696e9fdb662c921a7f98633c0e73f476c5e1d71404a7c0ad5d09edee7e40d5ff8d1ac310a792c93faef5e89e2f
SSDEEP:48:6HkFjGNa8766G8KH4duogo+bAcyMuPCU2Z+FK16+k+lDUrinJmwJL0TQZtEOPulr:7Fj8G8KH49go+E1PCUUdTUrs7bsP0M
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................................>*... ...@....@.. ....................................@................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x402a3e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:v4.0.30319
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x29f00x4b.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x2d8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000xa440xc00False0.5068359375data4.66745426327IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0x40000x2d80x400False0.328125data2.32307159838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x60000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x40580x280data

Imports

DLLImport
mscoree.dll_CorExeMain

Version Infos

DescriptionData
Translation0x007f 0x04b0
LegalCopyright
InternalNameShell
FileVersion0.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion
FileDescription
OriginalFilenameShell.exe

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 13, 2021 19:38:55.633399963 CEST4970956192.168.2.5172.31.2.89
Jun 13, 2021 19:38:58.644207001 CEST4970956192.168.2.5172.31.2.89
Jun 13, 2021 19:39:04.644779921 CEST4970956192.168.2.5172.31.2.89
Jun 13, 2021 19:45:55.242383003 CEST4974656192.168.2.5172.31.2.89
Jun 13, 2021 19:45:58.255409956 CEST4974656192.168.2.5172.31.2.89
Jun 13, 2021 19:46:04.271543026 CEST4974656192.168.2.5172.31.2.89

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Start time:19:38:54
Start date:13/06/2021
Path:C:\Users\user\Desktop\payload.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\payload.exe'
Imagebase:0x100000
File size:5120 bytes
MD5 hash:B06395F18DF7AEC3D7C00AA219594631
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:low

General

Start time:19:38:54
Start date:13/06/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >

    Executed Functions

    Memory Dump Source
    • Source File: 00000001.00000002.1300135302.00007FFA165A0000.00000040.00000001.sdmp, Offset: 00007FFA165A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ffa165a0000_payload.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4c27da83efd7bdfe425640d14e6c773ea6841f5499de20b407384c7ae1ed4e98
    • Instruction ID: e1761af828a2c8927d8221e2f6280ea3b5254f376792645d9ea78ddfce41e1b2
    • Opcode Fuzzy Hash: 4c27da83efd7bdfe425640d14e6c773ea6841f5499de20b407384c7ae1ed4e98
    • Instruction Fuzzy Hash: 4241905292DBC54FE353976888A51746FA0BF53224B5E50F7D08CCB1E3E85C5849C792
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.1300135302.00007FFA165A0000.00000040.00000001.sdmp, Offset: 00007FFA165A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ffa165a0000_payload.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 59b7de3699d0057c1d41edb7d0db5c9c6f4fc72658d09480d31a4d0a111a84f5
    • Instruction ID: be021506bacfdc4d243cb793b4b128ab737f4e517ff781f4b9df3d2c45d08c69
    • Opcode Fuzzy Hash: 59b7de3699d0057c1d41edb7d0db5c9c6f4fc72658d09480d31a4d0a111a84f5
    • Instruction Fuzzy Hash: F0314912A2CB894FE3429768C8952757BD0FFA7324B4941B6C04CC72D3ED6C9C49C781
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.1300135302.00007FFA165A0000.00000040.00000001.sdmp, Offset: 00007FFA165A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ffa165a0000_payload.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b30fa64d037d8979285346035eacd4c22cc3f3c3d20e4efa15f5c36795ad7e5d
    • Instruction ID: edffd8558590bd176f754aa5e80950e09b8e3048db2caf353d7f8da92c8edbba
    • Opcode Fuzzy Hash: b30fa64d037d8979285346035eacd4c22cc3f3c3d20e4efa15f5c36795ad7e5d
    • Instruction Fuzzy Hash: 42511662A38E494FE795E72C80A6BBC3BD1FF9A314F4980B9E04DD72D3DE2858458740
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.1300135302.00007FFA165A0000.00000040.00000001.sdmp, Offset: 00007FFA165A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ffa165a0000_payload.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c970efad013068a0c3b828a8a21bbd32f1bb7bfed4d895917fd98ea7307416a5
    • Instruction ID: 4f9d8e0ecd709a8182ba361c8e46e040178cc760353f98a9f7b0e64bb137152c
    • Opcode Fuzzy Hash: c970efad013068a0c3b828a8a21bbd32f1bb7bfed4d895917fd98ea7307416a5
    • Instruction Fuzzy Hash: F5410862E38E4D4EE794E71C80AABBD6BD1FF9A314F598079E04DD73C2CE2858458780
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.1300135302.00007FFA165A0000.00000040.00000001.sdmp, Offset: 00007FFA165A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ffa165a0000_payload.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9658632135fcf420f947397f08a88210f8f9705775427ca3120ec37e05c4864c
    • Instruction ID: 991f1e2a1ddd13d10bbbb89df8abfa1bad239c1cdd144f7aa74fb108b0752c24
    • Opcode Fuzzy Hash: 9658632135fcf420f947397f08a88210f8f9705775427ca3120ec37e05c4864c
    • Instruction Fuzzy Hash: BAF05C76C0C6C94FEB108FB4D8020D47FA4EF42330F0D06DAD44C87092D6296125CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.1300135302.00007FFA165A0000.00000040.00000001.sdmp, Offset: 00007FFA165A0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ffa165a0000_payload.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 31d55059f3eb5cf8c978edcf27ec149a319b6e439b51934e5751640c2f1caef1
    • Instruction ID: 0368f4c9a93a42ed1757e36f007d17411c6efc6ff056cbdeb1eadfbb348b8a76
    • Opcode Fuzzy Hash: 31d55059f3eb5cf8c978edcf27ec149a319b6e439b51934e5751640c2f1caef1
    • Instruction Fuzzy Hash: 31D0A735564A0C4FDB40FF6494004A573A4FB54314F400766E86DC3181E734E2648781
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions