Create Interactive Tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	791757
MD5:	30815e7574409c788e6cfb3247250ee7
SHA1:	940d9d02537afa8a892df4920ffc1f9a79c1895a
SHA256:	89b2997d84ff0789fac1f4b9a2418ce8f74bed901c6eec51560a9f3b5c639e4b
Tags:	exe
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Adds a directory exclusion to Windows Defender

Sets debug register (to hijack the execution of another thread)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 4648 cmdline: C:\Users\user\Desktop\file.exe MD5: 30815E7574409C788E6CFB3247250EE7)

powershell.exe (PID: 2828 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData' MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.b50000.0.unpack	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0xdd171:$s2: is protected by an unregistered version of .NET Reactor!" );</script>

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Filez Downloader Checkin M2 - Source IP: 192.168.2.7 - Destination IP: 179.43.140.229

Timestamp:	192.168.2.7179.43.140.22949775802852939 01/25/23-21:07:05.925109
SID:	2852939
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b50000.0.unpack

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2852939 ETPRO TROJAN Filez Downloader Checkin M2 192.168.2.7:49775 -> 179.43.140.229:80

Source: file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://179.43.140.229/
Source: file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://179.43.140.229/DLCGHOUL.php
Source: file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://179.43.140.229/DLEBEBRA2.php
Source: file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://179.43.140.229/DLIMSORRY.php
Source: file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://179.43.140.229/NLIFE.php
Source: file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://179.43.140.229/VERBORROV.php
Source: powershell.exe, 0000000C.00000002.534261313.0000022E32B8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.467293034.0000022E1AA51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.b50000.0.unpack, type: UNPACKEDPE

Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen

Source: 0.2.file.exe.b50000.0.unpack, type: UNPACKEDPE

Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093F392	0_2_0093F392
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093F68D	0_2_0093F68D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00942EA9	0_2_00942EA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093F7F7	0_2_0093F7F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00942E15	0_2_00942E15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094C412	0_2_0094C412
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093E43F	0_2_0093E43F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093FA3C	0_2_0093FA3C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093EF69	0_2_0093EF69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFDC8824359	0_2_00007FFDC8824359
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFDC8823F44	0_2_00007FFDC8823F44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFDC88224B8	0_2_00007FFDC88224B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFDC88A0088	0_2_00007FFDC88A0088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009395A3	0_2_009395A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093E62E	0_2_0093E62E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093EA4D	0_2_0093EA4D

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 98%

Source: file.exe, 00000000.00000000.248054256.0000000000DCA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecbInterface.exeR vs file.exe
Source: file.exe, 00000000.00000002.545287951.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamecbInterface.exeR vs file.exe

Source: file.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9997964919259783
Source: TGTMAH.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9997964919259783

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yprrpsu4.ack.ps1

Jump to behavior

Source: classification engine

Classification label: mal92.evad.winEXE@4/5@0/0

Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\TGTMAH

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static file information: File size 2866176 > 1048576

Source: file.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b2600
Source: file.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x109200

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b50000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b50000.0.unpack .data:ER;.rsrc:R;.rsrc:EW; vs Unknown_Section0:ER;Unknown_Section1:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B56CAB push rbp; retf	0_2_00B56CAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B549ED pushfq ; ret	0_2_00B549EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B590EE push rdx; retf	0_2_00B590FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B53CE9 push rsp; retf	0_2_00B53D74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B53D50 push rsp; retf	0_2_00B53D74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B57FDD push rsp; ret	0_2_00B5800D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFDC88A4C39 push ds; iretd	0_2_00007FFDC88A4C3F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFDC87A7D11 push ebx; retf 000Ah	12_2_00007FFDC87A7D3A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFDC87A7CAA push ebx; retf 000Ah	12_2_00007FFDC87A7CDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFDC87A3247 push esp; retf	12_2_00007FFDC87A3248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFDC87A72D3 push ebx; iretd	12_2_00007FFDC87A731A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFDC87A4C0C push cs; iretd	12_2_00007FFDC87A4C0F

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: file.exe

Static PE information: 0x924169B0 [Fri Oct 4 00:07:12 2047 UTC]

Source: initial sample	Static PE information: section name: .rsrc entropy: 7.9997654885259255
Source: initial sample	Static PE information: section name: .rsrc entropy: 7.9997654885259255

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\tgtAudio\TGTMAH.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\tgtAudio\TGTMAH.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe

Special instruction interceptor: First address: 0000000000948BF7 instructions caused by: Self-modifying code

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe	Binary or memory string: WINDBG.EXE
Source: file.exe, 00000000.00000002.547971988.0000000000DE6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: IDAQ64.EXEWINDBG.EXEMSVSMON.EXEFDBG.EXEWIN64_REMOTEX64.EXEIDAG64.EXEX64_DBG.EXE

Source: C:\Users\user\Desktop\file.exe TID: 5388	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5388	Thread sleep time: -82000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5092	Thread sleep count: 9804 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1696	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\ProgramData\tgtAudio\TGTMAH.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9804

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: <\\.\VBoxGuest
Source: file.exe	Binary or memory string: \\.\VBoxGuest

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe

Open window title or class name: ollydbg

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugFlags	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\file.exe

Thread register set: 4648 501

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	22 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://179.43.140.229/	0%	Avira URL Cloud	safe
http://179.43.140.229/DLIMSORRY.php	0%	Avira URL Cloud	safe
http://179.43.140.229/DLEBEBRA2.php	0%	Avira URL Cloud	safe
http://179.43.140.229/DLCGHOUL.php	0%	Avira URL Cloud	safe
http://179.43.140.229/NLIFE.php	0%	Avira URL Cloud	safe
http://179.43.140.229/VERBORROV.php	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://179.43.140.229/NLIFE.php	file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://179.43.140.229/VERBORROV.php	file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.527936465.0000022E2AAAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://179.43.140.229/	file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.467293034.0000022E1AA51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.467293034.0000022E1AC57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://179.43.140.229/DLEBEBRA2.php	file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://179.43.140.229/DLIMSORRY.php	file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://179.43.140.229/DLCGHOUL.php	file.exe, 00000000.00000002.548465068.00000000043FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791757
Start date and time:	2023-01-25 21:03:41 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.evad.winEXE@4/5@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.7% (good quality ratio 8.6%) Quality average: 68% Quality standard deviation: 26.1%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 80.67.82.235, 80.67.82.211
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a1449.dscg2.akamai.net, arc.msn.com
Execution Graph export aborted for target file.exe, PID 4648 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2828 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
21:05:26	API Interceptor	34x Sleep call for process: powershell.exe modified
21:07:04	Task Scheduler	Run new task: TGTMAH path: C:\ProgramData\tgtAudio\TGTMAH.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	536543232
Entropy (8bit):	0.062438005632173416
Encrypted:	false
SSDEEP:
MD5:	59E7A0AB00BB818A31E67508C92F1A95
SHA1:	7F72A9A7915D33287D6654077C977D352C6B6D34
SHA-256:	A428F5260643308A49172D5B7C7348C3D7F52E29A6452AE4FA7202C3B4F801E2
SHA-512:	8E8541454735EE660C39149A197D893783CD4E0D3C7C16DC4B93B4C2B2EF940AE98AE9CED418633E0DC0C9FD2E53300F99AAF2F5EA7C88222D706019E2056310
Malicious:	false
Reputation:	low
Preview:	MZ......?_kJ..5..U.y.A..nS..-.g`......Epi..._:..D....w.8.............!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................PE..d....iA..........."...0.......+......a).. ....@...... ........................:......+,...@...@......@............... .......................`)...... ...%...........................................................................................................data........ ...................... ..`.rsrc....%... ...&..................@..@.rsrc........`)......*..............`...........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18817
Entropy (8bit):	5.001217266823362
Encrypted:	false
SSDEEP:	384:ufib4GGVoGIpN6KQkj2Akjh4iUxGzCdaOdB/NXp5CvOjJEYoV4fib41:uIGV3IpNBQkj25h4iUxGzCdaOdB/NZwY
MD5:	DB93B232EFF0785FDDC28A0D5DAE38D2
SHA1:	AF5AFE47557C49F165F66B2B63962D9EB28E3157
SHA-256:	92939214003421B64153B215D15F89595673C709110FC6E005FF955F6684C390
SHA-512:	5D161CFEE2631553AC2FA8EE407FE4CBA23C9A666BB69049C0FCCBEE99413983C678E4779426532FB4F5E622155C9EFF8DA57CD93AE4453D57301B32C19CBAA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1l5gnjj.lhp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yprrpsu4.ack.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.050720695954934
TrID:	Win64 Executable GUI (202006/5) 93.52% Win64 Executable (generic) (12005/4) 5.56% DOS Executable Generic (2002/1) 0.93%
File name:	file.exe
File size:	2866176
MD5:	30815e7574409c788e6cfb3247250ee7
SHA1:	940d9d02537afa8a892df4920ffc1f9a79c1895a
SHA256:	89b2997d84ff0789fac1f4b9a2418ce8f74bed901c6eec51560a9f3b5c639e4b
SHA512:	2075b05bdf05c1e33da4c946919b81227f115089b09e4bd88a77b57b9878194b92faec5812e7dc5a4b1bbaa767cab1c02a412adb878a365a366c6ceab5621f55
SSDEEP:	49152:rQZ/9ZcgVR0HptbPPlmaN/eefrGDzQtz:rE1Zc51PFN/daXE
TLSH:	D8D5DF59FE1BD0A3F66E8434C46A85B94E20EC25A6C2522E397CFE3D527434224BD73D
File Content Preview:	MZ.......?_kJ...5..U.y.A..nS..-.g`......Epi..._:..D....w.8..............!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

File Icon


Icon Hash:	7186869696def800

Static PE Info

General

Entrypoint:	0x6961c0
Entrypoint Section:	.rsrc
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x924169B0 [Fri Oct 4 00:07:12 2047 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cdd73a766273625b53bd22f0062b1110

Entrypoint Preview

Instruction
jmp 00007F6B2CAC62FCh
je 00007F6B2CAC609Ch
jmp 00007F6B2CAC6063h
sub eax, 01DAE990h
add byte ptr [eax], al
nop
jmp 00007F6B2CAC6064h
sal byte ptr [ebp+75F6334Dh], 1
enter 334Dh, FFh
jnbe 00007F6B2CAC604Bh
jmp 00007F6B2CAC6139h
jmp 00007F6B2CAC6063h
mov ebp, ecx
dec ebp
add al, 00h
add bl, ch
add edi, dword ptr [ebx+ebx*4+2B850F56h]
add eax, dword ptr [eax]
add cl, ch
or dword ptr [edx], eax
add byte ptr [eax], al
nop
jmp 00007F6B2CAC6064h
mov dword ptr [ecx+41h], esp
shl edx, 10h
jmp 00007F6B2CAC6065h
xor dh, byte ptr [ebx-2FF4BA6Ah]
jc 00007F6B2CAC601Ah
inc ecx
mov eax, edx
jmp 00007F6B2CAC6064h
dec eax
jmp 00007F6B3570E3ADh
jmp 00007F6B2CAC6065h
sar word ptr [ecx+esi], 0005h
or al, 04h
add byte ptr [eax], al
jc 00007F6B2CAC6054h
dec eax
lea edx, dword ptr [0000040Bh]
jmp 00007F6B2CAC6064h
and eax, 058B445Ah
cld
add eax, dword ptr [eax]
add bl, ch
add dword ptr [eax], edx
dec esp
lea ecx, dword ptr [000003E2h]
jmp 00007F6B2CAC6063h
mov al, byte ptr [03DD0531h]
add byte ptr [eax], al
jo 00007F6B2CAC6047h
xor dword ptr [000003D9h], eax
jc 00007F6B2CAC6092h
xor dword ptr [000003C9h], eax
jno 00007F6B2CAC6065h
fisttp word ptr [eax+0D8D481Ah]
rol dword ptr [ebx], 1
add byte ptr [eax], al
jmp 00007F6B2CAC6063h
rcl byte ptr [edi-15h], cl
add esp, dword ptr [ecx-14A94F35h]
add esp, dword ptr [edi+4Dh]
adc dword ptr [ecx+54h], eax
jmp 00007F6B2CAC6065h
mov byte ptr [5541F05Eh], al
jmp 00007F6B2CAC6064h
and ah, byte ptr [ecx+eax*2+56h]
jmp 00007F6B2CAC6063h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x296000	0x1c0	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe2000	0x1b259c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.data	0x2000	0xdef10	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe2000	0x1b259c	0x1b2600	False	0.20000281025179856	data	4.251156488048282	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x296000	0x109200	0x109200	False	0.9997964919259783	data	7.9997654885259255	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0xe20c8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0xe2224	0x134	data	English	United States
RT_CURSOR	0xe2380	0x134	data	English	United States
RT_CURSOR	0xe24dc	0x134	data	English	United States
RT_CURSOR	0xe2638	0x134	data	English	United States
RT_CURSOR	0xe2794	0x134	data	English	United States
RT_CURSOR	0xe28f0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States
RT_BITMAP	0xe2ba0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe2da8	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States
RT_BITMAP	0xe2fc8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe31d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe33dc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe35e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe37ec	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe39f0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe3bfc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe3e04	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0xe400c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0xe4110	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0xe4238	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0xe4358	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0xe4470	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0xe4564	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0xe4664	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0xe4780	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0xe4880	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_BITMAP	0xe4994	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States
RT_BITMAP	0xe4a8c	0xc8	Device independent bitmap graphic, 13 x 12 x 4, image size 96	English	United States
RT_BITMAP	0xe4b94	0xc8	Device independent bitmap graphic, 13 x 12 x 4, image size 96	English	United States
RT_BITMAP	0xe4c98	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States
RT_BITMAP	0xe51b8	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States
RT_BITMAP	0xe52c8	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States
RT_BITMAP	0xe53d4	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States
RT_BITMAP	0xe54e0	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States
RT_BITMAP	0xe55f0	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States
RT_BITMAP	0xe5700	0xd0	Device independent bitmap graphic, 12 x 13 x 4, image size 104	English	United States
RT_BITMAP	0xe5804	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States
RT_BITMAP	0xe5d28	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States
RT_BITMAP	0xe6248	0x4e8	Device independent bitmap graphic, 13 x 12 x 8, image size 192	English	United States
RT_BITMAP	0xe676c	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	Swedish	Sweden
RT_BITMAP	0xe6934	0x17c	Device independent bitmap graphic, 23 x 23 x 4, image size 276, 16 important colors	Swedish	Sweden
RT_BITMAP	0xe6af4	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	Swedish	Sweden
RT_BITMAP	0xe6cbc	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	Swedish	Sweden
RT_BITMAP	0xe6e84	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colors	Swedish	Sweden
RT_BITMAP	0xe7050	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States
RT_ICON	0xe71b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States
RT_ICON	0xe7648	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States
RT_ICON	0xe7ff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States
RT_ICON	0xe90c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States
RT_ICON	0xeb698	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States
RT_ICON	0xef8e8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States
RT_ICON	0xf4d98	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States
RT_ICON	0xfe268	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States
RT_ICON	0x10eab8	0x53af	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x113e90	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Swedish	Sweden
RT_STRING	0x114860	0x2c0	data
RT_STRING	0x114b48	0x2f8	data
RT_STRING	0x114e68	0x3c8	data
RT_STRING	0x115258	0x510	data
RT_STRING	0x115790	0x370	data
RT_STRING	0x115b28	0x390	data
RT_STRING	0x115ee0	0x404	data
RT_STRING	0x11630c	0x428	data
RT_STRING	0x11675c	0x34c	data
RT_STRING	0x116ad0	0x390	data
RT_STRING	0x116e88	0x288	data
RT_STRING	0x117138	0x49c	data
RT_STRING	0x1175fc	0x3c4	data
RT_STRING	0x1179e8	0x43c	data
RT_STRING	0x117e4c	0xd8	data
RT_STRING	0x117f4c	0xd0	data
RT_STRING	0x118044	0x120	data
RT_STRING	0x11818c	0x378	data
RT_STRING	0x11852c	0x3fc	data
RT_STRING	0x118950	0x3bc	data
RT_STRING	0x118d34	0x46c	data
RT_STRING	0x1191c8	0x37c	data
RT_STRING	0x11956c	0x3a8	data
RT_STRING	0x11993c	0x398	data
RT_STRING	0x119cfc	0xcc	data
RT_STRING	0x119df0	0xb0	data
RT_STRING	0x119ec8	0x298	data
RT_STRING	0x11a188	0x46c	data
RT_STRING	0x11a61c	0x35c	data
RT_STRING	0x11a9a0	0x2c0	data
RT_RCDATA	0x11ad08	0x82e8	data	English	United States
RT_RCDATA	0x123028	0x10	data
RT_RCDATA	0x123078	0xc8bda	Delphi compiled form 'TformAbout'
RT_RCDATA	0x1ebc98	0x824a	Delphi compiled form 'TformHinter'
RT_RCDATA	0x1f3f30	0x2409	Delphi compiled form 'TformHistoryItem'
RT_RCDATA	0x1f637c	0x44f26	Delphi compiled form 'TformMain'
RT_RCDATA	0x23b2e8	0x3d046	Delphi compiled form 'TformOptions'
RT_RCDATA	0x278378	0x73c	Delphi compiled form 'TformProgress'
RT_RCDATA	0x278af4	0x15a0	Delphi compiled form 'TformQueue'
RT_RCDATA	0x27a0d4	0x19580	Delphi compiled form 'TformTask'
RT_RCDATA	0x29367c	0x132	Dyalog APL component file 32-bit non-journaled checksummed version -71.37
RT_GROUP_CURSOR	0x293820	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x29385c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x293898	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x2938d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x293910	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x29394c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x293988	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x293a08	0x84	data	English	United States
RT_GROUP_ICON	0x293ac8	0x14	data	Swedish	Sweden
RT_VERSION	0x293b1c	0x3d8	data	English	United States
RT_MANIFEST	0x293f34	0x666	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
shell32.dll	PathMakeUniqueName
mscoree.dll	_CorExeMain
advapi32.dll	RegOpenKeyExW
user32.dll	TranslateMessage
kernel32.dll	GetModuleHandleA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Swedish	Sweden

• file.exe
• powershell.exe
• conhost.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• file.exe
• powershell.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	21:04:40
Start date:	25/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xb50000
File size:	2866176 bytes
MD5 hash:	30815E7574409C788E6CFB3247250EE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	21:05:22
Start date:	25/01/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
Imagebase:	0x7ff6f4710000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	21:05:22
Start date:	25/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Function 00007FFDC88A0088 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

>', xrefs: 00007FFDC88A0061

Memory Dump Source

Source File: 00000000.00000002.553918347.00007FFDC88A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC88A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc88a0000_file.jbxd

Similarity

API ID:
String ID: >'
API String ID: 0-469774255
Opcode ID: 6d379387e6699670c29ec0be5e957e448543688a241e275ff01492f49e73d203
Instruction ID: 1a7782c3fc80b49334f170b2a67f0eed232d8fda2e15b941015b6a780b26e86e
Opcode Fuzzy Hash: 6d379387e6699670c29ec0be5e957e448543688a241e275ff01492f49e73d203
Instruction Fuzzy Hash: 7302A631E0C147C6EB25DF68AC529F97790AF14219F34123DD849C6DC2FA2CA16F86E9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC8824359 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

x\!, xrefs: 00007FFDC8824613

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID: x\!
API String ID: 0-4132185133
Opcode ID: dfb1911cab002324935a9d294c519deec42aedab10b506baa510645149895b3b
Instruction ID: 34f2b10872b4d6b7ea4e66c9f5b68ba29f8629569c32feb6cfc74fc3ff890b67
Opcode Fuzzy Hash: dfb1911cab002324935a9d294c519deec42aedab10b506baa510645149895b3b
Instruction Fuzzy Hash: 20916070A184098FD759EF18D8A59BD73E2FF98324B205139D44EC77A5EA34B822CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC8823F44 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd4bc458e24516b1be7d67c2366de5da7bc2cdc7c0998be270512f3561b396f
Instruction ID: 0832fc4054c6b4d871f3f43030972e5fd16bf20ad40d5e7424ea7c217f58bb8e
Opcode Fuzzy Hash: 0cd4bc458e24516b1be7d67c2366de5da7bc2cdc7c0998be270512f3561b396f
Instruction Fuzzy Hash: 4C512531A08411CBD75ADF98ECE196533E2FBA83307544129D906D77BCDAB8F862CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC88241B3 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

x\!, xrefs: 00007FFDC8824613
8W!, xrefs: 00007FFDC882432B

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID: 8W!$x\!
API String ID: 0-559321493
Opcode ID: 4e953cbe7a4d48ec511b2218553aecf1e503740474b97ecc6b5ac1e18e43b828
Instruction ID: 1d1fa3c448a336c2978671bb20da3b209e97194a6d0fa8f0fdcd1b763917f3cb
Opcode Fuzzy Hash: 4e953cbe7a4d48ec511b2218553aecf1e503740474b97ecc6b5ac1e18e43b828
Instruction Fuzzy Hash: 81510230F545098FEB99FB68D8A5ABD73D2EF98310F600079D40EC32A2EE2968518B55

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC8822887 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78925b6caf076ffcf260d8b236ee94ecda16218e48152f3548ab0d9300d16fd
Instruction ID: e12311a4413d3b58ad88190d000df5db3dc1fcfcc97038b748c836e9b0afa6d6
Opcode Fuzzy Hash: b78925b6caf076ffcf260d8b236ee94ecda16218e48152f3548ab0d9300d16fd
Instruction Fuzzy Hash: BB516330E186158BE765EF28D8A1AB9B3E1FF99310B5005B9D40DC76A7EE38FC118785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC88228CC Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9cc6a81eb55b2ad46c99fbd75b036ca28dad6dce6aa19bd7c72b78ac11ab85
Instruction ID: ed309e28c1d2c1f46528449c94edc5f17ef3a4ee77b5abb29474b2fa1451e4b3
Opcode Fuzzy Hash: 1d9cc6a81eb55b2ad46c99fbd75b036ca28dad6dce6aa19bd7c72b78ac11ab85
Instruction Fuzzy Hash: AC419430E186098FDB55EF68D8A1AA9B7E1FF59310B5045BDD00DC7293EE38B801CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC8822768 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857c7fa15803003d07f649e312fdfbe110dc908a7a862b9ea7ab88ca7969f97e
Instruction ID: 6a2411a4ccadf557eba1bf6d2657bdf1377b9dc70f55fc6edabdb19515b42335
Opcode Fuzzy Hash: 857c7fa15803003d07f649e312fdfbe110dc908a7a862b9ea7ab88ca7969f97e
Instruction Fuzzy Hash: 4C012830A0D5188EEA65FF28DC65EBAB3A1EF95310F0000B8E409C36D2DF243D118689

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC88227FC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18e293308484db675b32932af036e336e14b48b02227cd3c12dc20ede9f7769
Instruction ID: de12826b64693be0a66586c631833f11312fc03e018dc1ab822663507ec37702
Opcode Fuzzy Hash: d18e293308484db675b32932af036e336e14b48b02227cd3c12dc20ede9f7769
Instruction Fuzzy Hash: F8F0E771B484158FD399DB2CDC91A6C73F2EB9837075602AAD409D33A4EE24BC218788

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC88240DE Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8902281752e3a4aefe0e1b0e9d7506a141bb164bd072045561977ef41d9931
Instruction ID: 464846565c5108804e9b3be49e2184879b0ad00e13a71c98a912ac395ca29111
Opcode Fuzzy Hash: ff8902281752e3a4aefe0e1b0e9d7506a141bb164bd072045561977ef41d9931
Instruction Fuzzy Hash: ECF0DA20F168194BE795FF2888A9A7C72E2FB9C321B950438D40DD32B6ED28AD618741

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0094C412 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

x\;U, xrefs: 0094C43D

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID: x\;U
API String ID: 0-3453668088
Opcode ID: 758c05e435222d30ce8c0b27ca2747bbe501d057b2fb12c61b12bd7e332874b6
Instruction ID: 24cb3343488f717497a6ca3bdf40962ca10a4207c87198105ba242cb601da261
Opcode Fuzzy Hash: 758c05e435222d30ce8c0b27ca2747bbe501d057b2fb12c61b12bd7e332874b6
Instruction Fuzzy Hash: 94612A75618B448BE3B8EF3498547DAB7D7FBD8301F11D928D18BC2261EE39C4068B41

Uniqueness

Uniqueness Score: -1.00%

Function 0093F7F7 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0920a62d9bb6ddd34fa7b7ea630b9cafc29cbe7bde2b4c778f4cf8a36d1b3b
Instruction ID: 46dbeea7672ba7998209c8f6cd2c763d6d78206a0ca3aad9e72dcd694bd1ce50
Opcode Fuzzy Hash: fd0920a62d9bb6ddd34fa7b7ea630b9cafc29cbe7bde2b4c778f4cf8a36d1b3b
Instruction Fuzzy Hash: 85D1DCA3BB868407D70C8C18EC937B2728BE7DA319B2D947DE887C6347E919D917940D

Uniqueness

Uniqueness Score: -1.00%

Function 0093EF69 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141a1477feff5e56239242162e3aa49995afc8312f91e81ce4b3a5dbcd55f74b
Instruction ID: ae3ff07906236670393be1220acbd756506cfafeb00c1ac3abc6354fcb6994b1
Opcode Fuzzy Hash: 141a1477feff5e56239242162e3aa49995afc8312f91e81ce4b3a5dbcd55f74b
Instruction Fuzzy Hash: 38C119A3BBD68007934C9C29EC936B272CBD7DA71A72D943CE487C6307E919D927944C

Uniqueness

Uniqueness Score: -1.00%

Function 0093F68D Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c3e6d9bbb8017e933c64901adcaa2f2acb41f6c79e2277747f8ed9fb9ca861
Instruction ID: f6b9e3089ec24152b7a96cfa300007bd93bfc38a3ab53055b801f83f5940b1b6
Opcode Fuzzy Hash: 25c3e6d9bbb8017e933c64901adcaa2f2acb41f6c79e2277747f8ed9fb9ca861
Instruction Fuzzy Hash: CDB1DAA3BB868407C70C8C18EC936B2718BE7DA21972DD43DE887C734AE96DD917940D

Uniqueness

Uniqueness Score: -1.00%

Function 0093F392 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e1a2cfa8e2c953ded5f742bf941bbb58018144bb2ec0e49ff70612f19dc48c
Instruction ID: 12639a6ca271059d1442728df11a8d7bd38ffdc3b389a53230fefd7c68ee4dd9
Opcode Fuzzy Hash: c6e1a2cfa8e2c953ded5f742bf941bbb58018144bb2ec0e49ff70612f19dc48c
Instruction Fuzzy Hash: E791FBE3BB868007930C9C19DC936B1B1CBE7DA71972D943DE887C6347E929D917940D

Uniqueness

Uniqueness Score: -1.00%

Function 0093E43F Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ac2441ff1f0d1eab717772f741f879fd9368bb8c92fe17a389e2cf38590429
Instruction ID: e6899041c0f2cf2eea1b9c3d4f7d7c16967b98f242c864d57417b16f0aeeff26
Opcode Fuzzy Hash: 15ac2441ff1f0d1eab717772f741f879fd9368bb8c92fe17a389e2cf38590429
Instruction Fuzzy Hash: DA51CCA3FB899107D30C8828EC437A231CBD79AA1AF1D947DE8C7C6347E519D913958D

Uniqueness

Uniqueness Score: -1.00%

Function 0093FA3C Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29e963cf7c721cbed2121527bde751939c76b587dd567f854209dfd3fe22f39
Instruction ID: 9158e77083b5181f783958a53a29651d204a6b0f8f28d2430d14738f63bfa912
Opcode Fuzzy Hash: c29e963cf7c721cbed2121527bde751939c76b587dd567f854209dfd3fe22f39
Instruction Fuzzy Hash: 0051F8A3BA864447D30C8D18EC837B17287E7DA32AF1D907DE88BC6347E929D917954C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC88224B8 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.553863513.00007FFDC8820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc8820000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bb68be402265ad7a63ee8fb4bc7c1d0c5aaa1917c59c6d96af392476a47923
Instruction ID: 86ba173f9d2985ee6fe9c1b7dc05cce0724d2336de89479cc3a71de5dd132b99
Opcode Fuzzy Hash: 44bb68be402265ad7a63ee8fb4bc7c1d0c5aaa1917c59c6d96af392476a47923
Instruction Fuzzy Hash: 6A71E631614503CFD75ADF18CDE6D2573E2EB5832035881A8CE4AD3674EB36B862CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00942EA9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075082595cf6f866156f567d8a670d6f41b5d513beeddd1445c6ec7d064d6d5e
Instruction ID: c5bf5dc4d07771f66ee01931fccafb76798942e06d89909c4b163df6a3223638
Opcode Fuzzy Hash: 075082595cf6f866156f567d8a670d6f41b5d513beeddd1445c6ec7d064d6d5e
Instruction Fuzzy Hash: 85119E327BC4920F930CDE38580543676DBF78930A361D6BEE9A7C7663EA20C4138989

Uniqueness

Uniqueness Score: -1.00%

Function 00942E15 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.544971765.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e442dd7d320df24f0753e2d156b9ccd7b9f7af252cc5fddb9c66419b8669ef
Instruction ID: 4e660c51bf4b2b213b5617b5316c232e0031725ddd4951b217319254ee21daf1
Opcode Fuzzy Hash: c9e442dd7d320df24f0753e2d156b9ccd7b9f7af252cc5fddb9c66419b8669ef
Instruction Fuzzy Hash: 1811A1327785520F930CDE38980643676DBF78530A361D67DD5A7C7A63DA24C5138E89

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 2828, Parent PID: 4648COMMON

Executed Functions

Function 00007FFDC87A8CF9 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFDC87A8D01

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1fdd27af9463d45e27da82a01eff5fbc116784f14b8ca6d28cffbfa643505e7d
Instruction ID: d6ce2d30c5d7913caae50534b241c04f10180b39393fe55f74fbe47e7389522a
Opcode Fuzzy Hash: 1fdd27af9463d45e27da82a01eff5fbc116784f14b8ca6d28cffbfa643505e7d
Instruction Fuzzy Hash: 86314F30A089598FDF94EF58C455EE9BBA1FF69300F6411A9D009D7296DB34EC82CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87A61D5 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cca56c49222c316582c4905fda8c6a4d00d977d5bf51b81ad8b0e095bd7678
Instruction ID: 45efa770230f307ae6760d8a7989525f5e3f935f1b7df79eebda71332f853e34
Opcode Fuzzy Hash: 08cca56c49222c316582c4905fda8c6a4d00d977d5bf51b81ad8b0e095bd7678
Instruction Fuzzy Hash: FA31F47191CB488FDB58DF5C9C5A6E97BE0FB69320F00426FE449C3292DA74A855CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87A6E26 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28f3aeb5b1f1b33fa7e87a894b2d66b6a53f5253535e3155e8fac825e0959cd
Instruction ID: 454871686ec07e9e333e710622ae4c69d7a01a264c70890fb7027d101b6474d3
Opcode Fuzzy Hash: c28f3aeb5b1f1b33fa7e87a894b2d66b6a53f5253535e3155e8fac825e0959cd
Instruction Fuzzy Hash: 4321F13190CA4C8FDB58DFAC984A7EA7FE0EBA6321F04416FD049C3152D670A41ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC8874101 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538764114.00007FFDC8870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc8870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb93d3679e57a449da7f86af7c53f115da2aeb85af88f2b2f4db8feafe65073
Instruction ID: 1c9082f8d87b1e07320b8d800802e0ba994b29b81adc68a36c64c99de134c5b7
Opcode Fuzzy Hash: 1bb93d3679e57a449da7f86af7c53f115da2aeb85af88f2b2f4db8feafe65073
Instruction Fuzzy Hash: 7901C432E1DD454FD369EB0CA421AA967E1FFA5320F1901BAE15EC36A3DD29EC4087D4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87A74E8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5aa07912a3fbb90e3bd721407658719fd2f0c4915c4efd5993a41b9e5521a04
Instruction ID: 921d368fe3ae3622ba9edbc64d763cacfea64c2608014b5da9eab60f06266d89
Opcode Fuzzy Hash: a5aa07912a3fbb90e3bd721407658719fd2f0c4915c4efd5993a41b9e5521a04
Instruction Fuzzy Hash: 0201217171CA084FD78CEA1CD862AB573E1EB95324B50016ED48AC76A6DE27E8428745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87A1355 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cff6f0e817eaf95abd3163f78c11bf9e4f6992de78abb45a49043693fe6870
Instruction ID: 1493b54d8ca3e75e0ce1d81e6161aa124cbefa77e2259149329faa16db5d76e0
Opcode Fuzzy Hash: d0cff6f0e817eaf95abd3163f78c11bf9e4f6992de78abb45a49043693fe6870
Instruction Fuzzy Hash: 1701A77110CB0C4FD744EF0CE451AA6B3E0FB95320F10052DE58AC36A1DA36E881CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC8874139 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538764114.00007FFDC8870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc8870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7013a67bd7bab9f43da9b4bb7a46b57c1afa086b9ee22e55ce4f323edeea5a74
Instruction ID: d1eaf7dadd933e983108fc7ba9146f66a4e26b03d3ebcc37b0c60608af5aaea4
Opcode Fuzzy Hash: 7013a67bd7bab9f43da9b4bb7a46b57c1afa086b9ee22e55ce4f323edeea5a74
Instruction Fuzzy Hash: 9C01D432F0C9454FE754EB1CA4559A577E1EF69320B1900BAE05EC35A3DE28AC408794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC88743CA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538764114.00007FFDC8870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc8870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e439e5cfc39afe62d56df4de44c0806e2fb57a06f97ab5ad9b202efb4885054e
Instruction ID: 999eb06ba759482cfa4f49eb91df1aea6f50d72fc56ee9c55a6b26924da1d452
Opcode Fuzzy Hash: e439e5cfc39afe62d56df4de44c0806e2fb57a06f97ab5ad9b202efb4885054e
Instruction Fuzzy Hash: 2D01DF32E0DD890FD769DB1CA460AA877E0EF44720B1900FFE05ED75A3DA15AC008BC4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC88743DC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538764114.00007FFDC8870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc8870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad7568c06eab33a44eba834434fcead44aa31b9c71f31f774604c159ed67466
Instruction ID: 0d8b07a8e5e0a937c5f9309cc78c0fcf80e22f7798ba1b0a2197eebe89e1cd96
Opcode Fuzzy Hash: 4ad7568c06eab33a44eba834434fcead44aa31b9c71f31f774604c159ed67466
Instruction Fuzzy Hash: D101F232E0D9854FE765DB1894649B8BBE0EF45720B1900FFE09EC75A3DA25AC409BC4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87A8A2E Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b3a24f8be670409e8b7c34453b9ea7be75dc1207d92423556b9942271d61bc
Instruction ID: 4c2d2a4803ff2cc8aaba8ae6164bf844b2ca2d70b4952ad1825016c2e0db74be
Opcode Fuzzy Hash: 81b3a24f8be670409e8b7c34453b9ea7be75dc1207d92423556b9942271d61bc
Instruction Fuzzy Hash: A6F0B43175CA088FDB4CAA0CE8529B473E1EB99321B10013EE48BC2296ED36F843C785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC887680A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538764114.00007FFDC8870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc8870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58757d1441dd2d54dd0e1ac710b542486daf05edb73f57821039afc06141589b
Instruction ID: 90a03fc70fd052296d3ed8598a6920057d7bd0cc96f0b018f7bb9f6a265ceb6a
Opcode Fuzzy Hash: 58757d1441dd2d54dd0e1ac710b542486daf05edb73f57821039afc06141589b
Instruction Fuzzy Hash: 92017D31B0DA884FE755DB5C64505F87BE1EF9C320B1401FFE04DD7193D928A8018785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87A6908 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634ebe3e04edca4877147338ccf19171570b49c5100e126b3b2e3a14f2fe293d
Instruction ID: d52f4bcb12f7426b8a8e2080876f866d6f7c0e8f04cb8fa9cf50f95aede92502
Opcode Fuzzy Hash: 634ebe3e04edca4877147338ccf19171570b49c5100e126b3b2e3a14f2fe293d
Instruction Fuzzy Hash: 41F024308486894FDB46DF2888658D57FA0EF26210F1402ABE45CC71A2DB64E859CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87A8A3F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538303904.00007FFDC87A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc87a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d8f0e56d680479b5598b8b189ccba9057a36105b83238f3cf44abdd9dfb922
Instruction ID: 9974c4d9f7fdd7d9d88c724660f8ba5c6c9825e6d09e4f53b0711589c1d519b7
Opcode Fuzzy Hash: 58d8f0e56d680479b5598b8b189ccba9057a36105b83238f3cf44abdd9dfb922
Instruction Fuzzy Hash: CAF0373275C6054FDB5CAA1CF8839B4B3D1D795320750056EE487C2556DD27F8878685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC887682F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.538764114.00007FFDC8870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC8870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffdc8870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b5daed5a73b6af024c8a4f14d681511365f90ef89d426822fc7337aa4c5713
Instruction ID: 2f0fe870183584a3b947485687dc94441a6b060a5af123c92c348e80b71554a5
Opcode Fuzzy Hash: 00b5daed5a73b6af024c8a4f14d681511365f90ef89d426822fc7337aa4c5713
Instruction Fuzzy Hash: 28F0F032E0DA488FEB55EB6C68555F8BBA0EF59321F0400BFE04DD3293ED2968418756

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\tgtAudio\TGTMAH.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1l5gnjj.lhp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yprrpsu4.ack.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: file.exePID: 4648, Parent PID: 3320

Windows Analysis Report
file.exe