Play interactive tour

Edit tour

Windows Analysis Report u35vHcdxuH

Overview

General Information

Sample Name:	u35vHcdxuH (renamed file extension from none to exe)
Analysis ID:	542989
MD5:	3c7c6d236721ea4cef0f904ebde6f575
SHA1:	d82cd631a49a175caace0fb209f7b9da16e29655
SHA256:	ed107d31ac4a6e8f665986e3326cc2c4551fd00ba26f5414faa8edd0f7c20061
Tags:	exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect virtualization through RDTSC time measurements

Found potential dummy code loops (likely to delay analysis)

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Tries to harvest and steal browser information (history, passwords, etc)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

JA3 SSL client fingerprint seen in connection with other malware

Potential time zone aware malware

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

u35vHcdxuH.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\u35vHcdxuH.exe" MD5: 3C7C6D236721EA4CEF0F904EBDE6F575)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: u35vHcdxuH.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: u35vHcdxuH.exe	Virustotal: Detection: 39%			Perma Link
Source: u35vHcdxuH.exe	ReversingLabs: Detection: 27%

Source: unknown

HTTPS traffic detected: 88.119.175.100:443 -> 192.168.2.4:49762 version: TLS 1.2

Source: u35vHcdxuH.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724E85E FindFirstFileW,	0_2_00007FF76724E85E
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724EF55 FindFirstFileW,	0_2_00007FF76724EF55
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724ECC1 FindFirstFileW,	0_2_00007FF76724ECC1
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724ECF3 FindFirstFileW,	0_2_00007FF76724ECF3

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.175.100

Source: u35vHcdxuH.exe, 00000000.00000003.834794205.000001E19CA13000.00000004.00000001.sdmp, u35vHcdxuH.exe, 00000000.00000003.834701267.000001E19CA0B000.00000004.00000001.sdmp, u35vHcdxuH.exe, 00000000.00000002.835421850.000001E19CA15000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: u35vHcdxuH.exe, 00000000.00000002.835580240.000001E19CFAF000.00000004.00000001.sdmp	String found in binary or memory: https://88.119.175.100
Source: u35vHcdxuH.exe, 00000000.00000002.835383289.000001E19C9E1000.00000004.00000001.sdmp	String found in binary or memory: https://88.119.175.100/

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/octet-stream, application/jsonContent-Type: text/htmlT: m94DmiorMaUser-Agent: curl/6.17.0Host: 88.119.175.100Content-Length: 8093Connection: CloseCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 88.119.175.100:443 -> 192.168.2.4:49762 version: TLS 1.2

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Process Stats: CPU usage > 98%

Source: u35vHcdxuH.exe	Virustotal: Detection: 39%
Source: u35vHcdxuH.exe	ReversingLabs: Detection: 27%

Source: u35vHcdxuH.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: u35vHcdxuH.exe

String found in binary or memory: tSUOZ4I/ADDB+g==

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@1/0@0/1

Source: u35vHcdxuH.exe

Static file information: File size 3866112 > 1048576

Source: u35vHcdxuH.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: u35vHcdxuH.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: u35vHcdxuH.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x283400
Source: u35vHcdxuH.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x10ac00

Source: u35vHcdxuH.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: u35vHcdxuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: u35vHcdxuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: u35vHcdxuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: u35vHcdxuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: u35vHcdxuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767256835 push r9; ret	0_2_00007FF767256837
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767242649 pushfq ; ret	0_2_00007FF767242668
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725862D push rcx; ret	0_2_00007FF76725862E
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725A6FA push r12; ret	0_2_00007FF76725A704
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF7672484D1 push rdi; ret	0_2_00007FF7672484D2
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724A370 push rbp; ret	0_2_00007FF76724A371
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767254123 push rdi; ret	0_2_00007FF7672540B9
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767257028 push r11; ret	0_2_00007FF76725702A
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725910B push r10; ret	0_2_00007FF76725910D
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767258FF9 push r15; ret	0_2_00007FF767258FFB
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724AD4C push rbp; ret	0_2_00007FF76724AD4D
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724EA7A push rbp; ret	0_2_00007FF76724EA7B
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF7672589F7 push r12; ret	0_2_00007FF7672589F9
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724F89B push rbx; ret	0_2_00007FF76724F89C
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724B7BE push rsp; ret	0_2_00007FF76724B7BF
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767247707 push r10; ret	0_2_00007FF767247709
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767253711 push r15; ret	0_2_00007FF767253713
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF7672576F5 push rsp; ret	0_2_00007FF7672576F6
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725351C push r9; ret	0_2_00007FF76725351E
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767253435 push rax; ret	0_2_00007FF767253436
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF7672432B4 push rsi; ret	0_2_00007FF7672432B5
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724129D push r9; ret	0_2_00007FF76724129F
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725B2FF push rax; ret	0_2_00007FF76725B300
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767254047 push r10; ret	0_2_00007FF767254049
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725402D push rdi; ret	0_2_00007FF7672540B9
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725409B push rdi; ret	0_2_00007FF7672540B9
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF7672560A5 push rsi; ret	0_2_00007FF7672560A6
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76725DF2C pushfq ; ret	0_2_00007FF76725DF30
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767253FFC push rdi; ret	0_2_00007FF7672540B9
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767253FE0 push rdi; ret	0_2_00007FF7672540B9
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767253ED4 push r10; ret	0_2_00007FF767253ED6

Source: u35vHcdxuH.exe	Static PE information: section name: .const
Source: u35vHcdxuH.exe	Static PE information: section name: .gehcont

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 00000000004587B2 second address: 0000000000450A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A1F6h 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A2C1h 0x0000000e jcxz 00007FD1E0E2A2E6h 0x00000011 jmp 00007FD1E0E2A2BCh 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A2A9h 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A292h 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A1C7h 0x00000028 pushfd 0x00000029 call 00007FD1E0E2A285h 0x0000002e add dword ptr [esp], 31h 0x00000032 push eax 0x00000033 mov eax, FFFF828Fh 0x00000038 dec eax 0x00000039 cwde 0x0000003a dec eax 0x0000003b add eax, dword ptr [esp+08h] 0x0000003f dec eax 0x00000040 sub eax, 27h 0x00000043 dec eax 0x00000044 xchg dword ptr [esp], eax 0x00000047 push eax 0x00000048 dec eax 0x00000049 mov eax, dword ptr [esp+18h] 0x0000004d dec eax 0x0000004e xchg dword ptr [esp+08h], eax 0x00000052 dec eax 0x00000053 xchg dword ptr [esp+10h], eax 0x00000057 dec eax 0x00000058 xchg dword ptr [esp+18h], eax 0x0000005c pop eax 0x0000005d popfd 0x0000005e ret 0x0000005f jmp 00007FD1E0E2A28Ch 0x00000061 jmp 00007FD1E0E2A424h 0x00000066 dec eax 0x00000067 mov dword ptr [esp+08h], ecx 0x0000006b jmp 00007FD1E0E2A195h 0x00000070 dec eax 0x00000071 sub esp, 38h 0x00000074 jmp 00007FD1E0E2A373h 0x00000079 dec eax 0x0000007a cmp dword ptr [esp+40h], 00000000h 0x0000007f jmp 00007FD1E0E2A1B6h 0x00000084 push eax 0x00000085 jmp 00007FD1E0E2A193h 0x0000008a push ecx 0x0000008b jmp 00007FD1E0E2A35Bh 0x00000090 push edx 0x00000091 jmp 00007FD1E0E2A24Ch 0x00000096 rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 000000000045896A second address: 00000000004317E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A225h 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A2AEh 0x0000000e jcxz 00007FD1E0E2A2C6h 0x00000011 jmp 00007FD1E0E2A2A1h 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A1E2h 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A26Bh 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A294h 0x00000028 pushfd 0x00000029 call 00007FD1E0E2A265h 0x0000002e add dword ptr [esp], 31h 0x00000032 push eax 0x00000033 mov eax, FFFD8DC7h 0x00000038 dec eax 0x00000039 cwde 0x0000003a dec eax 0x0000003b add eax, dword ptr [esp+08h] 0x0000003f dec eax 0x00000040 sub eax, 27h 0x00000043 dec eax 0x00000044 xchg dword ptr [esp], eax 0x00000047 push eax 0x00000048 dec eax 0x00000049 mov eax, dword ptr [esp+18h] 0x0000004d dec eax 0x0000004e xchg dword ptr [esp+08h], eax 0x00000052 dec eax 0x00000053 xchg dword ptr [esp+10h], eax 0x00000057 dec eax 0x00000058 xchg dword ptr [esp+18h], eax 0x0000005c pop eax 0x0000005d popfd 0x0000005e ret 0x0000005f jmp 00007FD1E0E2A26Ch 0x00000061 jmp 00007FD1E0E2A360h 0x00000066 dec eax 0x00000067 mov dword ptr [esp+08h], ecx 0x0000006b jmp 00007FD1E0E2A1E3h 0x00000070 dec eax 0x00000071 sub esp, 18h 0x00000074 jmp 00007FD1E0E2A2E7h 0x00000079 dec eax 0x0000007a cmp dword ptr [esp+20h], 00000000h 0x0000007f jmp 00007FD1E0E2A1FFh 0x00000084 push eax 0x00000085 jmp 00007FD1E0E2A1ACh 0x0000008a push ecx 0x0000008b jmp 00007FD1E0E2A305h 0x00000090 push edx 0x00000091 jmp 00007FD1E0E2A22Ch 0x00000096 rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 00000000004473BF second address: 00000000004473BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A2F0h 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A1E5h 0x0000000e jcxz 00007FD1E0E2A2E3h 0x00000011 jmp 00007FD1E0E2A220h 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A20Ch 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A279h 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A311h 0x00000028 dec eax 0x00000029 add eax, 02h 0x0000002c jmp 00007FD1E0E2A2DDh 0x00000031 dec eax 0x00000032 mov dword ptr [esp+20h], eax 0x00000036 jmp 00007FD1E0E2A168h 0x0000003b jmp 00007FD1E0E2A37Eh 0x00000040 dec eax 0x00000041 mov eax, dword ptr [esp+20h] 0x00000045 jmp 00007FD1E0E2A1C3h 0x0000004a movzx eax, word ptr [eax] 0x0000004d jmp 00007FD1E0E2A35Bh 0x00000052 test eax, eax 0x00000054 jmp 00007FD1E0E2A262h 0x00000059 je 00007FD1E0E2A1D0h 0x0000005f jmp 00007FD1E0E2A1D1h 0x00000064 dec eax 0x00000065 mov eax, dword ptr [esp+28h] 0x00000069 jmp 00007FD1E0E2A38Dh 0x0000006e dec eax 0x0000006f mov ecx, dword ptr [esp+20h] 0x00000073 jmp 00007FD1E0E2A2A0h 0x00000078 movzx ecx, word ptr [ecx] 0x0000007b jmp 00007FD1E0E2A1D5h 0x00000080 mov word ptr [eax], cx 0x00000083 jmp 00007FD1E0E2A2D7h 0x00000088 dec eax 0x00000089 mov eax, dword ptr [esp+28h] 0x0000008d jmp 00007FD1E0E2A1DCh 0x00000092 dec eax 0x00000093 add eax, 02h 0x00000096 jmp 00007FD1E0E2A244h 0x0000009b dec eax 0x0000009c mov dword ptr [esp+28h], eax 0x000000a0 jmp 00007FD1E0E2A335h 0x000000a5 dec eax 0x000000a6 mov eax, dword ptr [esp+20h] 0x000000aa jmp 00007FD1E0E2A1CBh 0x000000af push eax 0x000000b0 jmp 00007FD1E0E2A214h 0x000000b5 push ecx 0x000000b6 jmp 00007FD1E0E2A29Bh 0x000000bb push edx 0x000000bc jmp 00007FD1E0E2A370h 0x000000c1 rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 0000000000485BE7 second address: 00000000004A161A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A1FAh 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A26Fh 0x0000000e jcxz 00007FD1E0E2A2C6h 0x00000011 jmp 00007FD1E0E2A2AAh 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A2BFh 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A274h 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A193h 0x00000028 dec eax 0x00000029 mov ecx, dword ptr [esp+30h] 0x0000002d jmp 00007FD1E0E2A2CCh 0x00000032 pushfd 0x00000033 call 00007FD1E0E2A265h 0x00000038 add dword ptr [esp], 31h 0x0000003c push eax 0x0000003d mov eax, 0001B9C5h 0x00000042 dec eax 0x00000043 cwde 0x00000044 dec eax 0x00000045 add eax, dword ptr [esp+08h] 0x00000049 dec eax 0x0000004a sub eax, 27h 0x0000004d dec eax 0x0000004e xchg dword ptr [esp], eax 0x00000051 push eax 0x00000052 dec eax 0x00000053 mov eax, dword ptr [esp+18h] 0x00000057 dec eax 0x00000058 xchg dword ptr [esp+08h], eax 0x0000005c dec eax 0x0000005d xchg dword ptr [esp+10h], eax 0x00000061 dec eax 0x00000062 xchg dword ptr [esp+18h], eax 0x00000066 pop eax 0x00000067 popfd 0x00000068 ret 0x00000069 jmp 00007FD1E0E2A26Ch 0x0000006b jmp 00007FD1E0E2A2ABh 0x00000070 dec eax 0x00000071 mov dword ptr [esp+08h], ecx 0x00000075 jmp 00007FD1E0E2A29Dh 0x0000007a dec eax 0x0000007b mov eax, dword ptr [esp+08h] 0x0000007f jmp 00007FD1E0E2A26Bh 0x00000084 dec eax 0x00000085 mov dword ptr [eax], 00000000h 0x0000008b jmp 00007FD1E0E2A1EAh 0x00000090 push eax 0x00000091 jmp 00007FD1E0E2A276h 0x00000096 push ecx 0x00000097 jmp 00007FD1E0E2A287h 0x0000009c push edx 0x0000009d jmp 00007FD1E0E2A230h 0x000000a2 rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 0000000000488901 second address: 0000000000431D4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A277h 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A453h 0x0000000e jcxz 00007FD1E0E2A2E6h 0x00000011 jmp 00007FD1E0E2A1D0h 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A1E9h 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A3CAh 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A20Ch 0x00000028 pushfd 0x00000029 call 00007FD1E0E2A285h 0x0000002e add dword ptr [esp], 31h 0x00000032 push eax 0x00000033 mov eax, FFFA923Ch 0x00000038 dec eax 0x00000039 cwde 0x0000003a dec eax 0x0000003b add eax, dword ptr [esp+08h] 0x0000003f dec eax 0x00000040 sub eax, 27h 0x00000043 dec eax 0x00000044 xchg dword ptr [esp], eax 0x00000047 push eax 0x00000048 dec eax 0x00000049 mov eax, dword ptr [esp+18h] 0x0000004d dec eax 0x0000004e xchg dword ptr [esp+08h], eax 0x00000052 dec eax 0x00000053 xchg dword ptr [esp+10h], eax 0x00000057 dec eax 0x00000058 xchg dword ptr [esp+18h], eax 0x0000005c pop eax 0x0000005d popfd 0x0000005e ret 0x0000005f jmp 00007FD1E0E2A28Ch 0x00000061 jmp 00007FD1E0E2A333h 0x00000066 push eax 0x00000067 jmp 00007FD1E0E2A239h 0x0000006c push ecx 0x0000006d jmp 00007FD1E0E2A2CBh 0x00000072 push edx 0x00000073 jmp 00007FD1E0E2A254h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 000000000047C92D second address: 000000000047C92D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A08Fh 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E29C11h 0x0000000e jcxz 00007FD1E0E2A2C6h 0x00000011 jmp 00007FD1E0E2A350h 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A21Dh 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A4B5h 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A067h 0x00000028 jg 00007FD1E0E2AA63h 0x0000002e jmp 00007FD1E0E2AAC0h 0x00000033 dec eax 0x00000034 arpl word ptr [esp+20h], ax 0x00000038 jmp 00007FD1E0E2A2B1h 0x0000003d mov eax, dword ptr [esp+eax*4+50h] 0x00000041 jmp 00007FD1E0E2A179h 0x00000046 mov dword ptr [esp+2Ch], eax 0x0000004a jmp 00007FD1E0E2997Ch 0x0000004f jmp 00007FD1E0E2A51Fh 0x00000054 cmp dword ptr [esp+2Ch], 00000000h 0x00000059 jmp 00007FD1E0E2AA09h 0x0000005e jng 00007FD1E0E29D6Eh 0x00000064 jmp 00007FD1E0E2A557h 0x00000069 mov eax, dword ptr [esp+20h] 0x0000006d jmp 00007FD1E0E29F84h 0x00000072 inc eax 0x00000074 jmp 00007FD1E0E29D45h 0x00000079 mov dword ptr [esp+20h], eax 0x0000007d jmp 00007FD1E0E2A2FFh 0x00000082 mov eax, dword ptr [esp+00000A98h] 0x00000089 jmp 00007FD1E0E2A584h 0x0000008e cmp dword ptr [esp+20h], eax 0x00000092 jmp 00007FD1E0E2A017h 0x00000097 push eax 0x00000098 jmp 00007FD1E0E2A1A7h 0x0000009d push ecx 0x0000009e jmp 00007FD1E0E2A3C6h 0x000000a3 push edx 0x000000a4 jmp 00007FD1E0E2A7BAh 0x000000a9 rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 000000000044C735 second address: 000000000044C735 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A1CFh 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A2F7h 0x0000000e jcxz 00007FD1E0E2A2E6h 0x00000011 jmp 00007FD1E0E2A2C4h 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A1E5h 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A246h 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A276h 0x00000028 mov dword ptr [esp+10h], eax 0x0000002c jmp 00007FD1E0E2A368h 0x00000031 cmp dword ptr [esp+10h], 00000000h 0x00000036 jmp 00007FD1E0E2A22Ch 0x0000003b jne 00007FD1E0E2A23Bh 0x00000041 dec eax 0x00000042 mov eax, dword ptr [esp+08h] 0x00000046 jmp 00007FD1E0E2A2ADh 0x0000004b mov dword ptr [eax], 00000000h 0x00000051 jmp 00007FD1E0E2A23Eh 0x00000056 dec eax 0x00000057 mov eax, dword ptr [esp+08h] 0x0000005b jmp 00007FD1E0E2A224h 0x00000060 dec eax 0x00000061 add eax, 04h 0x00000064 jmp 00007FD1E0E2A2F0h 0x00000069 dec eax 0x0000006a mov dword ptr [esp+08h], eax 0x0000006e jmp 00007FD1E0E2A291h 0x00000073 mov eax, dword ptr [esp+10h] 0x00000077 jmp 00007FD1E0E2A210h 0x0000007c dec eax 0x0000007e jmp 00007FD1E0E2A290h 0x00000083 push eax 0x00000084 jmp 00007FD1E0E2A2D3h 0x00000089 push ecx 0x0000008a jmp 00007FD1E0E2A2ACh 0x0000008f push edx 0x00000090 jmp 00007FD1E0E2A2A2h 0x00000095 rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 0000000000440447 second address: 0000000000436001 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E2A88Eh 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A17Ch 0x0000000e jcxz 00007FD1E0E2A2C3h 0x00000011 jmp 00007FD1E0E29C1Ah 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A8B3h 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E29FBCh 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A5BAh 0x00000028 dec eax 0x00000029 mov dword ptr [esp+50h], eax 0x0000002d jmp 00007FD1E0E2A295h 0x00000032 dec eax 0x00000033 mov ecx, dword ptr [esp+000000A0h] 0x0000003a jmp 00007FD1E0E2A05Fh 0x0000003f pushfd 0x00000040 call 00007FD1E0E2A265h 0x00000045 add dword ptr [esp], 31h 0x00000049 push eax 0x0000004a mov eax, FFFF56F1h 0x0000004f dec eax 0x00000050 cwde 0x00000051 dec eax 0x00000052 add eax, dword ptr [esp+08h] 0x00000056 dec eax 0x00000057 sub eax, 27h 0x0000005a dec eax 0x0000005b xchg dword ptr [esp], eax 0x0000005e push eax 0x0000005f dec eax 0x00000060 mov eax, dword ptr [esp+18h] 0x00000064 dec eax 0x00000065 xchg dword ptr [esp+08h], eax 0x00000069 dec eax 0x0000006a xchg dword ptr [esp+10h], eax 0x0000006e dec eax 0x0000006f xchg dword ptr [esp+18h], eax 0x00000073 pop eax 0x00000074 popfd 0x00000075 ret 0x00000076 jmp 00007FD1E0E2A26Ch 0x00000078 jmp 00007FD1E0E2A2D6h 0x0000007d push eax 0x0000007e jmp 00007FD1E0E2A220h 0x00000083 push ecx 0x00000084 jmp 00007FD1E0E2A2A4h 0x00000089 push edx 0x0000008a jmp 00007FD1E0E2A238h 0x0000008f rdtsc
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	RDTSC instruction interceptor: First address: 0000000000446CDF second address: 00000000004317E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1E0E29F82h 0x00000007 mov ecx, edx 0x00000009 jmp 00007FD1E0E2A361h 0x0000000e jcxz 00007FD1E0E2A2E3h 0x00000011 jmp 00007FD1E0E2A179h 0x00000016 pop edx 0x00000017 jmp 00007FD1E0E2A3B6h 0x0000001c pop ecx 0x0000001d jmp 00007FD1E0E2A163h 0x00000022 pop eax 0x00000023 jmp 00007FD1E0E2A469h 0x00000028 pushfd 0x00000029 call 00007FD1E0E2A285h 0x0000002e add dword ptr [esp], 31h 0x00000032 push eax 0x00000033 mov eax, FFFEAB89h 0x00000038 dec eax 0x00000039 cwde 0x0000003a dec eax 0x0000003b add eax, dword ptr [esp+08h] 0x0000003f dec eax 0x00000040 sub eax, 27h 0x00000043 dec eax 0x00000044 xchg dword ptr [esp], eax 0x00000047 push eax 0x00000048 dec eax 0x00000049 mov eax, dword ptr [esp+18h] 0x0000004d dec eax 0x0000004e xchg dword ptr [esp+08h], eax 0x00000052 dec eax 0x00000053 xchg dword ptr [esp+10h], eax 0x00000057 dec eax 0x00000058 xchg dword ptr [esp+18h], eax 0x0000005c pop eax 0x0000005d popfd 0x0000005e ret 0x0000005f jmp 00007FD1E0E2A28Ch 0x00000061 jmp 00007FD1E0E2A380h 0x00000066 dec eax 0x00000067 mov dword ptr [esp+08h], ecx 0x0000006b jmp 00007FD1E0E2A203h 0x00000070 dec eax 0x00000071 sub esp, 18h 0x00000074 jmp 00007FD1E0E2A307h 0x00000079 dec eax 0x0000007a cmp dword ptr [esp+20h], 00000000h 0x0000007f jmp 00007FD1E0E2A21Fh 0x00000084 push eax 0x00000085 jmp 00007FD1E0E2A1CCh 0x0000008a push ecx 0x0000008b jmp 00007FD1E0E2A325h 0x00000090 push edx 0x00000091 jmp 00007FD1E0E2A24Ch 0x00000096 rdtsc

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724705F	0_2_00007FF76724705F
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767262ED0	0_2_00007FF767262ED0
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF767250D63	0_2_00007FF767250D63

Source: C:\Users\user\Desktop\u35vHcdxuH.exe TID: 7132

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Code function: 0_2_00007FF76724E930 rdtsc

0_2_00007FF76724E930

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724E85E FindFirstFileW,	0_2_00007FF76724E85E
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724EF55 FindFirstFileW,	0_2_00007FF76724EF55
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724ECC1 FindFirstFileW,	0_2_00007FF76724ECC1
Source: C:\Users\user\Desktop\u35vHcdxuH.exe	Code function: 0_2_00007FF76724ECF3 FindFirstFileW,	0_2_00007FF76724ECF3

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: u35vHcdxuH.exe	Binary or memory string: qhgFsTWTt9HBUCoJCHBX9jlfwgZdIYFqvvoK
Source: u35vHcdxuH.exe, 00000000.00000002.835401649.000001E19C9FA000.00000004.00000001.sdmp, u35vHcdxuH.exe, 00000000.00000002.835580240.000001E19CFAF000.00000004.00000001.sdmp, u35vHcdxuH.exe, 00000000.00000003.834771298.000001E19C9FA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: u35vHcdxuH.exe	Binary or memory string: F9jDlFKrjw4edPG2gEQdsgUUYCHGfss4REcGwUicVRvCSI4WXyPlAwXGJePunnNXu8U=

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Code function: 0_2_00007FF76724E930 rdtsc

0_2_00007FF76724E930

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Code function: 0_2_00007FF76725A570 cpuid

0_2_00007FF76725A570

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Code function: 0_2_00007FF7674B92C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7674B92C4

Stealing of Sensitive Information:

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\u35vHcdxuH.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Path Interception	Virtualization/Sandbox Evasion122	OS Credential Dumping1	System Time Discovery11	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	Credentials in Registry1	Security Software Discovery311	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Virtualization/Sandbox Evasion122	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery213	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
u35vHcdxuH.exe	39%	Virustotal		Browse
u35vHcdxuH.exe	28%	ReversingLabs	Win64.Trojan.Lazy
u35vHcdxuH.exe	100%	Avira	HEUR/AGEN.1139927

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.u35vHcdxuH.exe.7ff767240000.0.unpack	100%	Avira	HEUR/AGEN.1139927		Download File
0.2.u35vHcdxuH.exe.7ff767240000.0.unpack	100%	Avira	HEUR/AGEN.1139927		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://88.119.175.100/	0%	Avira URL Cloud	safe
https://88.119.175.100	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://88.119.175.100/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://88.119.175.100	u35vHcdxuH.exe, 00000000.00000002.835580240.000001E19CFAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.119.175.100	unknown	Lithuania		61272	IST-ASLT	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	542989
Start date:	20.12.2021
Start time:	19:36:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	u35vHcdxuH (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spyw.evad.winEXE@1/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 88.3% (good quality ratio 54.2%) Quality average: 39.7% Quality standard deviation: 37.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.119.175.100	hpgwQPiZFj.exe	Get hash	malicious	Browse
88.119.175.100	Ziw3SMJYlQ.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IST-ASLT	Hs0ExJaelk.exe	Get hash	malicious	Browse	88.119.175.54
	hpgwQPiZFj.exe	Get hash	malicious	Browse	88.119.175.100
	Ziw3SMJYlQ.exe	Get hash	malicious	Browse	88.119.175.100
	ftYLFS9Mqv.exe	Get hash	malicious	Browse	88.119.175.54
	kQ9HU0gKVH.exe	Get hash	malicious	Browse	88.119.174.179
	4kdhjDvPzN.exe	Get hash	malicious	Browse	185.64.104.9
	4kdhjDvPzN.exe	Get hash	malicious	Browse	185.64.104.9
	fMo9q56dnX.exe	Get hash	malicious	Browse	88.119.161.165
	idX4FFBrZC.exe	Get hash	malicious	Browse	88.119.161.165
	File-Setup.exe	Get hash	malicious	Browse	88.119.161.76
	setup_x86_x64_install.exe	Get hash	malicious	Browse	88.119.161.165
	setup_installer.exe	Get hash	malicious	Browse	88.119.161.165
	setup_x86_x64_install.exe	Get hash	malicious	Browse	88.119.161.165
	activate it to password.exe	Get hash	malicious	Browse	88.119.161.76
	AA9FF4E33F61DD2FC164A21D0A53397F19B7F9C64D786.exe	Get hash	malicious	Browse	185.25.50.59
	oCgMddAyze.exe	Get hash	malicious	Browse	213.252.245.117
	50SOzviZCF.exe	Get hash	malicious	Browse	213.252.245.117
	jjw16C4BnB.exe	Get hash	malicious	Browse	213.252.244.191
	g9QzObrUeM.exe	Get hash	malicious	Browse	213.252.244.191
	sZqcv9vi4c.exe	Get hash	malicious	Browse	185.25.51.72

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	Hs0ExJaelk.exe	Get hash	malicious	Browse	88.119.175.100
	hpgwQPiZFj.exe	Get hash	malicious	Browse	88.119.175.100
	I4gUMZH8oF.dll	Get hash	malicious	Browse	88.119.175.100
	XEjLRpNx4J.dll	Get hash	malicious	Browse	88.119.175.100
	8Lp5yoZ6B4.dll	Get hash	malicious	Browse	88.119.175.100
	7bA7UknK6b.dll	Get hash	malicious	Browse	88.119.175.100
	15UdvY19Nz.dll	Get hash	malicious	Browse	88.119.175.100
	Ziw3SMJYlQ.exe	Get hash	malicious	Browse	88.119.175.100
	ftYLFS9Mqv.exe	Get hash	malicious	Browse	88.119.175.100
	Invoice and documentsfdp.exe	Get hash	malicious	Browse	88.119.175.100
	0x0005000000012636-65.exe	Get hash	malicious	Browse	88.119.175.100
	Invoice_#fdp..exe	Get hash	malicious	Browse	88.119.175.100
	VQvqBq26oz.dll	Get hash	malicious	Browse	88.119.175.100
	VQvqBq26oz.dll	Get hash	malicious	Browse	88.119.175.100
	cZGG0vOO6.dll	Get hash	malicious	Browse	88.119.175.100
	cZGG0vOO6.dll	Get hash	malicious	Browse	88.119.175.100
	KLY0GHQG9H.doc	Get hash	malicious	Browse	88.119.175.100
	DOC10077564411241521013.doc	Get hash	malicious	Browse	88.119.175.100
	K9N9t3hLe.dll	Get hash	malicious	Browse	88.119.175.100
	SecuriteInfo.com.LresultFromObject.17634.exe	Get hash	malicious	Browse	88.119.175.100

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.3606402098696595
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	u35vHcdxuH.exe
File size:	3866112
MD5:	3c7c6d236721ea4cef0f904ebde6f575
SHA1:	d82cd631a49a175caace0fb209f7b9da16e29655
SHA256:	ed107d31ac4a6e8f665986e3326cc2c4551fd00ba26f5414faa8edd0f7c20061
SHA512:	88fab38223b5b419599394ab5cefd6fdc39ca8fcb49168e022f07a06afa549abe162d194ffdcd1ea7233a867162380f0354b1123d9ce6c0d140ccc1a8d47ffa8
SSDEEP:	49152:1hSeTy8RkhB/h9CCEIkqdDjOgmeNbTVghSXugo:eERkPqC3df2uo
File Content Preview:	MZ......................@..............................................q{.edA:....f...16...z.8....C.Z..+^...6..Yb,....A...Jx..]K..9`=.....,!.w..j.@..g.:..C#d..!...@.K..I..9 ..!.i...2`.3I..hK.d..e..l.._D.....j..C.......B.5....8i.w...$."S}...W^.PD>,S8.....`

File Icon


Icon Hash:	c1d3d12c2d212453

Static PE Info

General
Entrypoint:	0x140278ffc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x61BE7867 [Sun Dec 19 00:10:15 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	4bde4f08c217ad48a6baa148956a6236

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FD1E0AB55C4h
dec eax
add esp, 28h
jmp 00007FD1E0AB517Fh
int3
int3
dec eax
sub esp, 28h
call 00007FD1E0AB5AF8h
test eax, eax
je 00007FD1E0AB5323h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FD1E0AB5307h
dec eax
cmp ecx, eax
je 00007FD1E0AB5316h
xor eax, eax
dec eax
cmpxchg dword ptr [00117EC4h], ecx
jne 00007FD1E0AB52F0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FD1E0AB52F9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00117EAFh]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00117E9Fh], al
call 00007FD1E0AB5927h
call 00007FD1E0AB6116h
test al, al
jne 00007FD1E0AB5306h
xor al, al
jmp 00007FD1E0AB5316h
call 00007FD1E0AB8C61h
test al, al
jne 00007FD1E0AB530Bh
xor ecx, ecx
call 00007FD1E0AB6132h
jmp 00007FD1E0AB52ECh
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 40h
cmp byte ptr [00117E64h], 00000000h
mov ebx, ecx
jne 00007FD1E0AB53B6h
cmp ecx, 01h
ja 00007FD1E0AB53B5h
call 00007FD1E0AB5A56h
test eax, eax
je 00007FD1E0AB532Ah
test ebx, ebx
jne 00007FD1E0AB5326h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38f310	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a0000	0x15340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x393000	0x8100	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b6000	0xd00	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x38d1f0	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x285000	0x238	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x283330	0x283400	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x285000	0x10aa86	0x10ac00	False	0.613361791237	data	5.23915572381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x390000	0x21c8	0x1000	False	0.2822265625	data	3.05829947284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x393000	0x85e8	0x8600	False	0.496181203358	data	5.92511923147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.const	0x39c000	0x1729	0x1800	False	0.531901041667	data	5.19883874529	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x39e000	0x608	0x800	False	0.01123046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gehcont	0x39f000	0xc	0x200	False	0.0390625	data	0.0611628522412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3a0000	0x15340	0x15400	False	0.0439108455882	data	3.90846906966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b6000	0xd00	0xe00	False	0.742745535714	data	6.00600594562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x3a04c0	0x63d8	data	English	United States
RT_BITMAP	0x3a6898	0x1d08	data	English	United States
RT_BITMAP	0x3a85a0	0xbea0	data	English	United States
RT_ICON	0x3b4440	0x2e8	data	English	United States
RT_ICON	0x3b4740	0xa68	dBase IV DBT of \200.DBF, blocks size 0, block length 2560, next free block index 40, next free block 0, next used block 0	English	United States
RT_GROUP_ICON	0x3b4728	0x14	data	English	United States
RT_GROUP_ICON	0x3b51a8	0x14	data	English	United States
RT_VERSION	0x3a0240	0x280	data	English	United States
RT_MANIFEST	0x3b51c0	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

Sleep, GetSystemTime, GetLocalTime, GetVersion, GetTickCount, WriteConsoleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, RtlUnwindEx, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, GetCurrentProcess, ExitProcess, TerminateProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle

Version Infos

Description	Data
LegalCopyright	Pine Shit (c) 2005
FileVersion	6.4.14.15
CompanyName	Say celebrate Date
ProductName	Almost publication
ProductVersion	15.7.12.14
FileDescription	Dress Suffer fuel basis
Translation	0x040a 0x04e6

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2021 19:38:57.754231930 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:57.754275084 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:57.754364967 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:57.776552916 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:57.776580095 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:58.025950909 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:58.026150942 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.428389072 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.428426027 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:58.428725958 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:58.428822041 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.450517893 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.450599909 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.450674057 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:58.690387964 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:58.690466881 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.690474987 CET	443	49762	88.119.175.100	192.168.2.4
Dec 20, 2021 19:38:58.690525055 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.692550898 CET	49762	443	192.168.2.4	88.119.175.100
Dec 20, 2021 19:38:58.692586899 CET	443	49762	88.119.175.100	192.168.2.4

HTTP Request Dependency Graph

88.119.175.100

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49762	88.119.175.100	443	C:\Users\user\Desktop\u35vHcdxuH.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-20 18:38:58 UTC	0	OUT	POST / HTTP/1.1 Accept: text/html, application/octet-stream, application/json Content-Type: text/html T: m94DmiorMa User-Agent: curl/6.17.0 Host: 88.119.175.100 Content-Length: 8093 Connection: Close Cache-Control: no-cache
2021-12-20 18:38:58 UTC	0	OUT	Data Raw: 6e 76 20 77 20 67 20 70 69 68 20 6f 6e 70 20 6d 20 63 6c 71 20 65 6e 63 20 72 20 72 6d 74 20 64 79 20 75 20 63 6c 20 66 72 20 69 20 72 76 20 6f 77 73 20 70 78 20 6b 64 65 20 61 63 20 6f 6b 77 20 68 20 79 20 64 20 6a 6d 20 6b 62 6e 20 78 63 20 74 20 66 70 77 20 6a 20 6a 66 62 20 68 69 65 20 69 73 78 20 6d 65 20 61 20 77 79 78 20 62 74 6f 20 71 66 6f 20 6e 75 20 63 70 6f 20 61 69 76 20 73 20 69 6b 6b 20 66 6a 76 20 6d 76 20 6a 62 78 20 65 20 71 77 20 69 76 20 79 66 76 20 63 66 70 20 66 20 62 6a 61 20 63 78 64 20 6c 63 20 75 6e 20 63 66 20 71 6d 6c 20 63 72 20 6c 72 77 20 63 20 71 20 78 20 63 68 20 6d 71 71 20 65 78 20 74 6d 20 79 65 20 6a 75 71 20 71 78 20 66 73 70 20 71 66 78 20 71 63 20 6b 75 20 6c 71 6a 20 63 77 20 72 77 65 20 72 6b 20 79 68 20 70 75 20 Data Ascii: nv w g pih onp m clq enc r rmt dy u cl fr i rv ows px kde ac okw h y d jm kbn xc t fpw j jfb hie isx me a wyx bto qfo nu cpo aiv s ikk fjv mv jbx e qw iv yfv cfp f bja cxd lc un cf qml cr lrw c q x ch mqq ex tm ye juq qx fsp qfx qc ku lqj cw rwe rk yh pu
2021-12-20 18:38:58 UTC	8	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 20 Dec 2021 18:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-12-20 18:38:58 UTC	8	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: u35vHcdxuH.exe PID: 7108 Parent PID: 5480

General

Start time:	19:37:36
Start date:	20/12/2021
Path:	C:\Users\user\Desktop\u35vHcdxuH.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\u35vHcdxuH.exe"
Imagebase:	0x7ff767240000
File size:	3866112 bytes
MD5 hash:	3C7C6D236721EA4CEF0F904EBDE6F575
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: u35vHcdxuH.exe PID: 7108 Parent PID: 5480 u35vHcdxuH.exeCOMMON

Executed Functions

Function 00007FF76724E85E, Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 00007FF76724EF60

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b7189bf397a07e7b3a5ba4a3a55a2d7082c155f7f81e6ec4474014dadf5f93d9
Instruction ID: a81438a36c962059e0f72c99d2144920208d8b9f0f739ae4a472985e4bf13d80
Opcode Fuzzy Hash: b7189bf397a07e7b3a5ba4a3a55a2d7082c155f7f81e6ec4474014dadf5f93d9
Instruction Fuzzy Hash: 2BC01210C0D482CCF0B0A200E4A223CA2A04B0C388EA40834C82F01ADCDC5CA80B2521

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724ECF3, Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 00007FF76724EF60

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8dedfee86014fc05e3becc927f613c5f95a9a81ae1689507e5f19f77963196b1
Instruction ID: 3d02d4246da3b00a546a2d704d2725b7b7cda42fd73f8970074263c0bdb0282f
Opcode Fuzzy Hash: 8dedfee86014fc05e3becc927f613c5f95a9a81ae1689507e5f19f77963196b1
Instruction Fuzzy Hash: 7BC0122190CA85D4E1B0E600F49107DA370A7847C4FA00430E54F415CCEF28D5459720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724ECC1, Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 00007FF76724EF60

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a2fa310a9caec9d25becfb9c2cb90363e07dec31e5a5f35b901ab1ac5f49f568
Instruction ID: 2b025e3c6fbc6d39b2f9d9d77f897a3e07e1586390862bd1e7d13dd605092376
Opcode Fuzzy Hash: a2fa310a9caec9d25becfb9c2cb90363e07dec31e5a5f35b901ab1ac5f49f568
Instruction Fuzzy Hash: 72C04C61D1D985D9E1A1D750E59237EA76497883C4FF00830E54F425CCEF2CD54A5621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724EF55, Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 00007FF76724EF60

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c5bdb6e6574f45b3dc06dfebfb3448ce67567a76db469a51aef8e0b0e63f7ced
Instruction ID: ee9385fee41174f0241eb79b191b6ca5cf59d78707e2279fbf502dece66392c4
Opcode Fuzzy Hash: c5bdb6e6574f45b3dc06dfebfb3448ce67567a76db469a51aef8e0b0e63f7ced
Instruction Fuzzy Hash: 25B01230C39941C4E5905306BC6232965944B88BE1F140874A54F03388ED1896420514

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724E930, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0138079ee7468ca952b3431a52e117cb8549a8e1052b82ea02d6ecaf07980ba9
Instruction ID: 6b4044b1f28cfaedc7ea9204a10266e08cfa6d0e0a48dd40a4d5f8b15896adc3
Opcode Fuzzy Hash: 0138079ee7468ca952b3431a52e117cb8549a8e1052b82ea02d6ecaf07980ba9
Instruction Fuzzy Hash: 53E03022D0CD47C4F2A5D954E85677CD330AB403F8F904331E57A514E8CF6CE58E5611

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724E758, Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE ref: 00007FF76724E781

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 21d6b12eaf791108062239497d820c9bc2150ddd459bc3c0aafe0eeb17d36fcd
Instruction ID: ed24e9ea9c1cf2ccfe014881200e5e86ff7be1ee60ffa5647e6f8fe7aedfeb2a
Opcode Fuzzy Hash: 21d6b12eaf791108062239497d820c9bc2150ddd459bc3c0aafe0eeb17d36fcd
Instruction Fuzzy Hash: 1EF01D10E0C982DCF960F204D4627B8D370AF543A9FD44031D96F81A9CDE6CE80A6624

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724EA02, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00007FF76724EA15

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5eb80a15f5ab0edaf9aa00bfca79878477d2e2ecba1b0f141d6d7fd898f25cfa
Instruction ID: 2b52c77026fe5379812b8caa9e539f49a3f4c84ec7e3b016d3abea37ae923ec8
Opcode Fuzzy Hash: 5eb80a15f5ab0edaf9aa00bfca79878477d2e2ecba1b0f141d6d7fd898f25cfa
Instruction Fuzzy Hash: B3F05410E1C982D8F570F604E86677DE3709F517E8FB40135DA6E059ECDF2CA44E5625

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724D3A9, Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF76724D37D

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 91cde86bf499bcfa3920ecc1def975c54b7a0d10f2e46f7aff06ffca7905ff2f
Instruction ID: 5e0ef2487c4065ea4b54bd71505fc7d41cf613dc6e387d7a534dd91c3ff03392
Opcode Fuzzy Hash: 91cde86bf499bcfa3920ecc1def975c54b7a0d10f2e46f7aff06ffca7905ff2f
Instruction Fuzzy Hash: E5E04892A1CC41D8E3659140F51237DDA306759799FB44032EF6C12B9CCD7CE84B5E50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724D3B3, Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF76724D37D

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9fe8526d55ff94fcb114092e93e129ac45ca9731078838a56f296d6fc0833984
Instruction ID: 88a955ad8d0df8ae24c105bc3abc262c232910840f34d5208f6144e471841fc0
Opcode Fuzzy Hash: 9fe8526d55ff94fcb114092e93e129ac45ca9731078838a56f296d6fc0833984
Instruction Fuzzy Hash: 5AE08692F0CC01E8E3658540F91237EC6216758398EA44032EE6C12FA8DE7C944B1D10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724D304, Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF76724D37D

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 72e1053a7eed28de63639c478a41bc5aafabb20b41ba2c5099783d14fc90b73b
Instruction ID: 8585a7e2a48ec23362c8a95cca5a6052a63e8d1722670124ad29898543cd31d9
Opcode Fuzzy Hash: 72e1053a7eed28de63639c478a41bc5aafabb20b41ba2c5099783d14fc90b73b
Instruction Fuzzy Hash: DFE01292A0CC45D9E365A140F51237DDA306759398EB44032EF6D16B9CCD7DE44A6E50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724E774, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE ref: 00007FF76724E781

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 507fad023557d519c4bd95143a43bbdb768067b692f1a1d55e5ce15fad0fc602
Instruction ID: ead74da027734cd193a44ef6e6bb773f8732bf88ecdbe646de5bbcf490f918b5
Opcode Fuzzy Hash: 507fad023557d519c4bd95143a43bbdb768067b692f1a1d55e5ce15fad0fc602
Instruction Fuzzy Hash: 6AE01700E1C9A3CCF5A0B224E86A3B8D2A16F153BAFD40330EC7E446D8DE5CB94A5124

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724E948, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF76724E94F

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 352429adb04178b0e79844c936007fb6b2ead77e3eb13fd0e7c6fdb579afc745
Instruction ID: 85eb00593de47852da4301d2c83c49ee0b7ac44b8ba8a09e256eeb5a8d334c19
Opcode Fuzzy Hash: 352429adb04178b0e79844c936007fb6b2ead77e3eb13fd0e7c6fdb579afc745
Instruction Fuzzy Hash: 5DD0C92BA0C94DC5E2569A81F512B3CD331B7017F4F500432ED6C22A88DEA895D94601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724D373, Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF76724D37D

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 05943ff96b84c3a240384ccc72bcbd86eec41e7166e2d37bacd0692015d97e5a
Instruction ID: 9872810e84e72f32c3dcb040a71b81412517772a40a43a39984ba80ede766c8c
Opcode Fuzzy Hash: 05943ff96b84c3a240384ccc72bcbd86eec41e7166e2d37bacd0692015d97e5a
Instruction Fuzzy Hash: F5D01293B0CC05D8E3659681FE1163ED72067283B9F640632EE7C22BE88F7854C66C61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76724E9A8, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF76724E94F

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: cca22fff02a6cc7a4002853633f301dd15dbff3dd9f0997e41f5773847bbe20d
Instruction ID: c3bfd89c639ca578fd5d9da4297b041cbdbbf63c2dc2933afa1059596ed78ae9
Opcode Fuzzy Hash: cca22fff02a6cc7a4002853633f301dd15dbff3dd9f0997e41f5773847bbe20d
Instruction Fuzzy Hash: B2D09E33E1C84DC9E295DA81F412B3DD331A7407E8F500431E95E57A98DE68D5D95611

Uniqueness

Uniqueness Score: -1.00%

Function 00436D9F, Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 004370B0

Memory Dump Source

Source File: 00000000.00000002.835076107.0000000000431000.00000040.00000001.sdmp, Offset: 00431000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cd4222d6f0e331630010060e718ea2187a2669aae9df52e87b8619561c0b8f1f
Instruction ID: 4db76392a1f88cf66233729b2395d95c18147d4f57783ce78e89af4eb397187a
Opcode Fuzzy Hash: cd4222d6f0e331630010060e718ea2187a2669aae9df52e87b8619561c0b8f1f
Instruction Fuzzy Hash: FBC002B011CB99EDC2B5AF5484947EA72E0BB8D381F606C1B84DF81040DA38028AE62B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF76724705F, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728efb07d2eb8f3461c7f692776f346cd6f80e0a1a7dcdbc87b456694b72daad
Instruction ID: 5202f5d8e067d86360d77dba7b15dec9798fdcd4ebe62862a2423a110750b540
Opcode Fuzzy Hash: 728efb07d2eb8f3461c7f692776f346cd6f80e0a1a7dcdbc87b456694b72daad
Instruction Fuzzy Hash: 3C012D22A1CA42CDE264A640E45537AE1B0E7543E8F541735FDB811BCCDF3CE5568B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF767250D63, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe7cff89ec1b21206d81085e2208a5664e02fa0706aca8364fae1ea203c1026
Instruction ID: 64127cfcecc9a43e6843928222129e9f881abd84d458ad25ae69e95a953df279
Opcode Fuzzy Hash: fbe7cff89ec1b21206d81085e2208a5664e02fa0706aca8364fae1ea203c1026
Instruction Fuzzy Hash: F5E07281B72C0A8CF71042B58E16B85890643833B1E891304AC3900AE0372A8AE2C883

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF76725A570, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca7a57cbdd9ae0b262db4a1bb24311426d12ff1fd13b681674abb1b5782cbe3
Instruction ID: be35336651b011f12408a0e766ef53d1be85a5cb21a0662db853f32a64e85c7b
Opcode Fuzzy Hash: 7ca7a57cbdd9ae0b262db4a1bb24311426d12ff1fd13b681674abb1b5782cbe3
Instruction Fuzzy Hash: 48D0A703A0C452D9E7900909A831E7A5421AF403CCDD04076EE4807B44CD2C80970E71

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF767262ED0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.835721507.00007FF767241000.00000020.00020000.sdmp, Offset: 00007FF767240000, based on PE: true

Associated: 00000000.00000002.835716539.00007FF767240000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836012532.00007FF7674C5000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836130334.00007FF7675D0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836136878.00007FF7675D3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.836144381.00007FF7675DC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.836149425.00007FF7675DE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.836154304.00007FF7675E0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0d4041906478365e85c5b2491c49d3c99333091289d3ce281ced7c512bc609
Instruction ID: 38f8daad2698c60697bea3734db2ffa2b02692b245b856a55a7183215faf9393
Opcode Fuzzy Hash: 4e0d4041906478365e85c5b2491c49d3c99333091289d3ce281ced7c512bc609
Instruction Fuzzy Hash: AAB01208F2B417D5F3814E285F233C209444358374EC7DF601D39004DA055C4B73644C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report u35vHcdxuH

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: u35vHcdxuH.exe PID: 7108 Parent PID: 5480

General