Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522723
MD5:	436b11d1ed92bf9d6abf46d8bdf9951e
SHA1:	54d8fcda2b9fe4d89668759011f83cbcfcdb18eb
SHA256:	521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

NoCry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected NoCry Ransomware

AI detected suspicious sample

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64

file.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 436B11D1ED92BF9D6ABF46D8BDF9951E)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7624	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 81.4% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp+10h], 00000057h	0_2_00007FF8879C09E2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp+10h], 00000070h	0_2_00007FF8879C09E2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp+10h], 0000008Dh	0_2_00007FF8879C09E2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp+10h], 0000002Ch	0_2_00007FF8879C0F46
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp+10h], 0000007Fh	0_2_00007FF8879C20BE

Source: file.exe, 00000000.00000002.2683285299.0000000000D57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: file.exe, 00000000.00000002.2683285299.0000000000D0C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, Windows.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: file.exe, Windows.exe.0.dr	String found in binary or memory: http://www.site.com/log.php
Source: file.exe, Windows.exe.0.dr	String found in binary or memory: https://www.google.com/search?q=how

Spam, unwanted Advertisements and Ransom Demands

Yara detected NoCry Ransomware

Source: Yara match

File source: Process Memory Space: file.exe PID: 7624, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF8879C09E2		0_2_00007FF8879C09E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF8879C413E		0_2_00007FF8879C413E

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Windows.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe, check.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, check.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, check.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows.exe.0.dr, check.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows.exe.0.dr, check.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows.exe.0.dr, check.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.rans.adwa.evad.winEXE@1/4@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: section name: .text entropy: 7.353780498511655
Source: Windows.exe.0.dr	Static PE information: section name: .text entropy: 7.353780498511655

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, Windows.exe.0.dr	Binary or memory string: SBIEDLL.DLLMHTTP://IP-API.COM/LINE/?FIELDS=HOSTING
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1AEC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7712

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: LKD:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man
Source: Windows.exe.0.dr	Binary or memory string: vmware
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %DetectVirtualMachine%
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TSD:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
Source: file.exe, 00000000.00000002.2683285299.0000000000D57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: file.exe, 00000000.00000002.2689210405.000000001BB03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq1u
Source: file.exe, Windows.exe.0.dr	Binary or memory string: %Emulator%-%DetectVirtualMachine%
Source: file.exe, 00000000.00000002.2689210405.000000001BB03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, Windows.exe.0.dr	Binary or memory string: DetectVirtualMachine
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SRD:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man

Source: C:\Users\user\Desktop\file.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	12 Registry Run Keys / Startup Folder	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	4 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	4 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	87%	ReversingLabs	ByteCode-MSIL.Ransomware.NoCry
file.exe	100%	Avira	TR/Dropper.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	87%	ReversingLabs	ByteCode-MSIL.Ransomware.NoCry

Source	Detection	Scanner	Label	Link
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/search?q=how	file.exe, Windows.exe.0.dr	false		unknown
http://www.site.com/log.php	file.exe, Windows.exe.0.dr	false		unknown
http://ip-api.com/line/?fields=hosting	file.exe, Windows.exe.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522723
Start date and time:	2024-09-30 16:00:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.adwa.evad.winEXE@1/4@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 25 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7624 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:01:09	API Interceptor	1x Sleep call for process: file.exe modified
15:01:11	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	140AEcuVy7.lnk	Get hash	malicious	LonePage	Browse	199.232.214.172
	Purchase Order IBT LPO-2320.eml	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	199.232.214.172
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://cganet.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172

Process:	C:\Users\user\Desktop\file.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.247897867253901
Encrypted:	false
SSDEEP:	6:kK/9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:mDImsLNkPlE99SNxAhUe/3
MD5:	8F17121561E467BCB734E10CDDB6C43F
SHA1:	627DD3EB73FD14358AE3C69E6A5F27328E7DB3A9
SHA-256:	2B35664273C4D5107713DADAA4681B8C9BA9A22C92A40DC58F96B01B241151BF
SHA-512:	3F8574DAF062EC58E0E6841191F36261B5CCD9C33AAAEC002FA50E6D12CAC5772D672445487D86BE95CCD3C89A64405157ED135D90616034FE73486552893E54
Malicious:	false
Reputation:	low
Preview:	p...... ..........R3A...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	185952
Entropy (8bit):	7.333388863773737
Encrypted:	false
SSDEEP:	3072:bwv4gbyMbNlGDxbjjqnSIMAHFwmo7XqwvX0VQ2fSIrsfyb50E3QBSfUqK1K3cal/:E8SMGFwrn0VQ6Cyd0E3QMfhqK3calkq
MD5:	436B11D1ED92BF9D6ABF46D8BDF9951E
SHA1:	54D8FCDA2B9FE4D89668759011F83CBCFCDB18EB
SHA-256:	521357A0F9669DE4A9233FEEEF7A3C5299C51DE4A2531C56AACC807C0FD25A6A
SHA-512:	439F027749EE53FEE3C1743409DFD73058E9195266F8034417EC0563379E519547934C34C4C4C3264B82CC40F94AB753B299DE5A618AD8ABC330EBE441D34AE0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T,.b.........."...P.................. ........@.. .......................@............@.....................................K.......B...............`.... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...B...........................@..@.reloc....... ......................@..B........................H........t...l..........d...3.............................................(....&..(......s.........s.........s ........s!........s"........Z........o5...........&..(6....j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+....{......,.+.....,.rq..ps;...z..\|....(...+...{......,.+.....,.rq..ps;...z..\|....(...+...{......,.+.....,.rq..ps;...z..\|....(...+...{......,.+.....,.rq..ps;...z..\|....(...+&........".......*Vs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.333388863773737
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	185'952 bytes
MD5:	436b11d1ed92bf9d6abf46d8bdf9951e
SHA1:	54d8fcda2b9fe4d89668759011f83cbcfcdb18eb
SHA256:	521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a
SHA512:	439f027749ee53fee3c1743409dfd73058e9195266f8034417ec0563379e519547934c34c4c4c3264b82cc40f94ab753b299de5a618ad8abc330ebe441d34ae0
SSDEEP:	3072:bwv4gbyMbNlGDxbjjqnSIMAHFwmo7XqwvX0VQ2fSIrsfyb50E3QBSfUqK1K3cal/:E8SMGFwrn0VQ6Cyd0E3QMfhqK3calkq
TLSH:	3F04BF252381EF52C46D46B514719A4023F96D93C356DA7E7FE8B0AD6BF2B808701FE2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T,.b.........."...P.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42e0ee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62D02C54 [Thu Jul 14 14:46:44 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=KoraySec Root CA, OU=Certificate Authority, O=KoraySec
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	01/02/2023 10:29:58 01/02/2024 10:29:58
Subject Chain	CN=Google, O=Google, OU=Google, L=Los Angeles, S=California, C=US, E=chjgchnv@gmail.com
Version:	3
Thumbprint MD5:	7ABCA51F8A27906AA3D4A2DDEE97DF41
Thumbprint SHA-1:	7189DCB8855F6C684B460C8E1ECE01373FB4E1D3
Thumbprint SHA-256:	6576D0FBDC2CFFBB94AFC6CC91FA24124C929668C97BBA18A424ECDB53691126
Serial:	01040503

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e0a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2ca00	0xc60	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x32000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2c0f4	0x2c200	913c99aafc192126a25f13d9dba59c3b	False	0.7212232206090652	data	7.353780498511655	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x242	0x400	fb2231d0976326e53757928c09fbb9dc	False	0.3037109375	data	3.5160679793070893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x32000	0xc	0x200	7af298d090bd9d31846c0a42af422136	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x30058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 16:01:09.183738947 CEST	1.1.1.1	192.168.2.9	0x49ba	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:01:09.183738947 CEST	1.1.1.1	192.168.2.9	0x49ba	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:01:08
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x810000
File size:	185'952 bytes
MD5 hash:	436B11D1ED92BF9D6ABF46D8BDF9951E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FF8879C09E2 Relevance: 26.1, Strings: 18, Instructions: 3579COMMON

Download Yara Rule

Strings

w#, xrefs: 00007FF8879C272C
8I , xrefs: 00007FF8879C2162
8I , xrefs: 00007FF8879C2F87
8I , xrefs: 00007FF8879C35B7
8I , xrefs: 00007FF8879C32A6
8I , xrefs: 00007FF8879C1E07
8I , xrefs: 00007FF8879C2508
8I , xrefs: 00007FF8879C2523
8I , xrefs: 00007FF8879C2F6C
8I , xrefs: 00007FF8879C1DEC
8I , xrefs: 00007FF8879C1A7D
8I , xrefs: 00007FF8879C328B
8I , xrefs: 00007FF8879C217D
8I , xrefs: 00007FF8879C1A62
8I , xrefs: 00007FF8879C38D1
8I , xrefs: 00007FF8879C359C
y, xrefs: 00007FF8879C2063
8I , xrefs: 00007FF8879C38EC

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: 8I $8I $8I $8I $8I $8I $8I $8I $8I $8I $8I $8I $8I $8I $8I $8I $y$w#
API String ID: 0-1082080199
Opcode ID: e82bd491cc5230f66b0b854af222210738fce2c3aef426cccf29e5fb63767c88
Instruction ID: 9caaa7f10c89d53804c3c4f5a49b2a71e5cebf84bbb190305e6b6aeac3c6a71d
Opcode Fuzzy Hash: e82bd491cc5230f66b0b854af222210738fce2c3aef426cccf29e5fb63767c88
Instruction Fuzzy Hash: C4633E709596CE8FEBA1DF288C557E93BE1FF5A340F4440A6D84CCB292DB389A44CB51

Function 00007FF8879C0F46 Relevance: 4.2, Strings: 3, Instructions: 452COMMON

Download Yara Rule

Strings

,, xrefs: 00007FF8879C1028
8I , xrefs: 00007FF8879C35B7
8I , xrefs: 00007FF8879C359C

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: ,$8I $8I
API String ID: 0-4143522558
Opcode ID: 605d7d3ae7823a24f55c5ea20c4c72a106eccedd8ab338a7b6e15f236bdc4ab0
Instruction ID: 3a206fdab9f41b55d2cee8f0971d3a3be52e36b46d3c1286b08b6bc17f9633e7
Opcode Fuzzy Hash: 605d7d3ae7823a24f55c5ea20c4c72a106eccedd8ab338a7b6e15f236bdc4ab0
Instruction Fuzzy Hash: 5A024B709096C98FEBA6DF6888557E93BE1FF56340F4440AAD84DCB292CF389A44CB51

Function 00007FF8879C20BE Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

8I , xrefs: 00007FF8879C2162
8I , xrefs: 00007FF8879C217D
w#, xrefs: 00007FF8879C272C

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: 8I $8I $w#
API String ID: 0-84765575
Opcode ID: 1a0fd3394d5be7b32e5a6a7b49e3bb5a5d3a66de78a676de4fc69ec9a8386ddd
Instruction ID: 47a0b31597e7b78fc3946c44272c99e6d4d147d438612a1015fe929059e1cbfe
Opcode Fuzzy Hash: 1a0fd3394d5be7b32e5a6a7b49e3bb5a5d3a66de78a676de4fc69ec9a8386ddd
Instruction Fuzzy Hash: B86143715496CA8FEBA1DF288C557E93BE0FF56340F0440AAD85DCB292DA389A48CB11

Function 00007FF8879C413E Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d169bbf555328deeb69fd13d5285e1a8034c482f5f8ba2eb3253904d09b424
Instruction ID: d938afffd02b9bc3544559d9114122e34ccf0f179cfef85cb679601ec0bca148
Opcode Fuzzy Hash: 17d169bbf555328deeb69fd13d5285e1a8034c482f5f8ba2eb3253904d09b424
Instruction Fuzzy Hash: 19C18C9290E7C51FD783D7B48926659BFB1AF6B28075E40EBD089CF2E3D9185D09C322

Function 00007FF8879C273E Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

w#, xrefs: 00007FF8879C276B
w#, xrefs: 00007FF8879C272C
w#, xrefs: 00007FF8879C2644
8I , xrefs: 00007FF8879C35B7
8I , xrefs: 00007FF8879C359C

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: 8I $8I $w#$w#$w#
API String ID: 0-2759234975
Opcode ID: 2fd5cec61babc34f89ca683f0c9cebc28a4a22b217b23d5f369bd8e73ddf99b1
Instruction ID: 2e14dad8fc3b73075fb0369d79ea83ec2370c2db078cb7ac3774295742b4a6fd
Opcode Fuzzy Hash: 2fd5cec61babc34f89ca683f0c9cebc28a4a22b217b23d5f369bd8e73ddf99b1
Instruction Fuzzy Hash: 67123B709596CA8FEBB1DF288C557E93BE1FF56340F0440AAD88DCB292DB385A44CB51

Function 00007FF8879C2643 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

w#, xrefs: 00007FF8879C272C
w#, xrefs: 00007FF8879C2644

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: w#$w#
API String ID: 0-4018902906
Opcode ID: 97c08bf99cc2d7d42f2ac3ef91eb5fe44ed08214b89ff4fd853404eaea78c4df
Instruction ID: 257c5113280c506bc92e56d4255bf10299f0660c3abb94370ce275f460864867
Opcode Fuzzy Hash: 97c08bf99cc2d7d42f2ac3ef91eb5fe44ed08214b89ff4fd853404eaea78c4df
Instruction Fuzzy Hash: 07313C709097CA4FDBA69F2888557D93FF1FF56380F0801AAD488CF2A2CA385A95C711

Function 00007FF8879CB60A Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

hV, xrefs: 00007FF8879CB7BD

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: hV
API String ID: 0-3364352740
Opcode ID: 9af8cec6b4a4c043804058b8202c3fdd8110439c510e82780453ddd9ecbdbf9b
Instruction ID: f96f51ecb65a090f493ffc9d98c93d4055b471e3e862fb358734bb8a0f354b0f
Opcode Fuzzy Hash: 9af8cec6b4a4c043804058b8202c3fdd8110439c510e82780453ddd9ecbdbf9b
Instruction Fuzzy Hash: 9ED1C470518A8D8FEBB1EF58CC49BE93BE0FB58344F50456AE84DCB291DB789684CB41

Function 00007FF8879CD716 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

hV, xrefs: 00007FF8879CD94E

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: hV
API String ID: 0-3364352740
Opcode ID: 75f03db80089963eb6357604699f0658a8ce7090bce8cf17bee802978ab3ca76
Instruction ID: cb295053c71b5ec14c2c961840b0e37fcf66795612f2fe0e3bbd76cbc8d40c66
Opcode Fuzzy Hash: 75f03db80089963eb6357604699f0658a8ce7090bce8cf17bee802978ab3ca76
Instruction Fuzzy Hash: 90D1C470528A8D8FEBB0EF58CC49BE97BE0FB58344F50456AD84DCB291DB789684CB41

Function 00007FF8879C0DFD Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

), xrefs: 00007FF8879C0E9E

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: e9d6859e09d3576bbf60c8726f7e622e4a4ab3de3aeb92be791b3fcf05a14e72
Instruction ID: 995acf0f23220af3614f6ad1bdab84d0d51a3b711f0276f31c454b4489b943f3
Opcode Fuzzy Hash: e9d6859e09d3576bbf60c8726f7e622e4a4ab3de3aeb92be791b3fcf05a14e72
Instruction Fuzzy Hash: 0521EB70919A8D8FDBB6EF18C895BD83BE5FF59740F400166E80CCB296DA34AB40CB41

Function 00007FF8879C0205 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8452e194ebd86d25912869f9bf3f4d87bd15ff3343ef72434bedb59acbd3bc65
Instruction ID: 2c556bf0859726aa35bd070d9aa9b3a3da6d936a556ca007699e75cf9d2eb1a5
Opcode Fuzzy Hash: 8452e194ebd86d25912869f9bf3f4d87bd15ff3343ef72434bedb59acbd3bc65
Instruction Fuzzy Hash: 3E02B2705097CD8EEB76CF28C8697DA3FE0AF16308F584199D89C9F282C7B94648C756

Function 00007FF8879CF651 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d7ddf20d073300f450331681337d0a19e027b0d682fb7935c6552fca40bc8e
Instruction ID: c95168b339489334ecc86c1f29f76396286d9fa7a28aa9b3504db2ae0903520e
Opcode Fuzzy Hash: f0d7ddf20d073300f450331681337d0a19e027b0d682fb7935c6552fca40bc8e
Instruction Fuzzy Hash: 77B1F8705186C98FDBA5DF28CC54BE93BE0FF1A340F0441AAE84DDB292DB78A944CB51

Function 00007FF8879C6819 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07527f487427fd0428c925788341275c441b550d538159a3360bb86cdfffc749
Instruction ID: 2c2cfb5f6c582deded2abed09dcb7663eb2c9dc31f1c135a1d82bc79c3ebf8b9
Opcode Fuzzy Hash: 07527f487427fd0428c925788341275c441b550d538159a3360bb86cdfffc749
Instruction Fuzzy Hash: 10B1C370518ACD8FEBB1DF18C889BE93BE0FB59304F50456AD84DCB251DB789689CB81

Function 00007FF8879CD336 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1679f49a97e317ec5dc8183664540d8a9f941a20d672f4d1e87c0dbd852d21
Instruction ID: 821cb076b3049fe13e07f17fb7b65b0a5df6994939d62b70644b82bb2afea9ed
Opcode Fuzzy Hash: ae1679f49a97e317ec5dc8183664540d8a9f941a20d672f4d1e87c0dbd852d21
Instruction Fuzzy Hash: 3FA1D770518A8D8FEBB0EF58CC49BE97BE0FB58304F50456AD84DCB291DB789689CB41

Function 00007FF8879C4FC1 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c009aca60c68efe5891346aa49c44f88b60d712bd4e1fe5167280943b9ff7e
Instruction ID: bc6a5d8106d1dd51fb74fe58cb8a18e29c41663e37ff483374088408ea6349a9
Opcode Fuzzy Hash: 14c009aca60c68efe5891346aa49c44f88b60d712bd4e1fe5167280943b9ff7e
Instruction Fuzzy Hash: D181F870518A8D9FEB91DF28C849BE93BE0FF59340F5501A5E84DC7292D738D984CB51

Function 00007FF8879CDEE6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c0b67118b63d3acbc2128df36db6dc7a01ed96c8ddcb9a9e772b02f00b3315
Instruction ID: 51758fd5c9a9db0d4cb088700c0154367ede0cc8815c94d98002bb86af220752
Opcode Fuzzy Hash: 42c0b67118b63d3acbc2128df36db6dc7a01ed96c8ddcb9a9e772b02f00b3315
Instruction Fuzzy Hash: 6371D970918A8D8FEF95DF28C849BE83BE1FF59384F514165E81DC7292DB38A844CB81

Function 00007FF8879C4D95 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f84eb94bdd2ac37303034b468e0135114ce002dbbaed57f1575798a9a548ba
Instruction ID: 93d4664c0a8d376a7b909e9597fb4f2edc1d0953287b118c2a43b35fab7df5a2
Opcode Fuzzy Hash: 92f84eb94bdd2ac37303034b468e0135114ce002dbbaed57f1575798a9a548ba
Instruction Fuzzy Hash: 6361CB71909A8D8FEF86EF28C855B983FF0FF5A380F554196E848CB2A2D634D944CB51

Function 00007FF8879C49F9 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbde203534f582dec510985375c2e4a0cc5051a077f2c1c87f12f4a208ca5b98
Instruction ID: b6119657357ddff209e24319ef26943bb29e9a689f4bef1fcd8ad36a1f815f33
Opcode Fuzzy Hash: bbde203534f582dec510985375c2e4a0cc5051a077f2c1c87f12f4a208ca5b98
Instruction Fuzzy Hash: 5B518C71A186CE8FEB85DF68D8517AC3FB0FF59380F4501B6E84DC7292CA28A945C751

Function 00007FF8879C4819 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab4d585e56b2de59ffd3befd660319ab32cccea1f66ec0634e259e19bbebf62
Instruction ID: 7325257290a3611366829546086d032430efb4a9c0eaa10b485f03ea39f9c9ed
Opcode Fuzzy Hash: 8ab4d585e56b2de59ffd3befd660319ab32cccea1f66ec0634e259e19bbebf62
Instruction Fuzzy Hash: F5410870518ACD8FEBA1DF18CC49BD93BA0FF19344F5041AAE84DCB292DB785648CB42

Function 00007FF8879CF295 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310f8bca23335e9fb1341d4fed66e11af7652bfdfdc3d9d14e09c05c6acc4fc9
Instruction ID: ee6d83d1c9b8405e4f52e21f9d34c9a8accc20b533c231b0f9b1f2a3ba662539
Opcode Fuzzy Hash: 310f8bca23335e9fb1341d4fed66e11af7652bfdfdc3d9d14e09c05c6acc4fc9
Instruction Fuzzy Hash: F141736294CBCA9FD781DB2C88557197FF0FF9A380F4505AAE08CC72A2D6289C44C712

Function 00007FF8879CF4F3 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af42e58979118aaeb33ede9a0a767c9e9ee3acb1542f44d652e2843a4d053bdc
Instruction ID: d03dbf0556bbfae6f18b0538fddf99af65414f9436e35ca830871eccc962c946
Opcode Fuzzy Hash: af42e58979118aaeb33ede9a0a767c9e9ee3acb1542f44d652e2843a4d053bdc
Instruction Fuzzy Hash: 9B413F71908AC98FEB95DF28C858BA83BF1FF59380F444166E85DC7293CB789945CB41

Function 00007FF8879CF507 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5981f8d58c5fa15ed69f3d3eae941d0bdfe3d810eb10878c546335c3cdf52a4e
Instruction ID: ab63354c520cfa6fdc33d9b9cb39f128246b45c96c291a24a4f2f0a42537aa8b
Opcode Fuzzy Hash: 5981f8d58c5fa15ed69f3d3eae941d0bdfe3d810eb10878c546335c3cdf52a4e
Instruction Fuzzy Hash: 58413AB1918A8D8FEB95DF28C858BA83BE1FF59340F544166E84DC72A2CB789945CB40

Function 00007FF8879C4BB1 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466fd54332fca2719218d08aa27da715f97cb5af32d1087f58e392c0d8d0741d
Instruction ID: fe5b0654d169b1be023084cc75f3d4eeb23bd9128fc6aef0100dfcfade02173a
Opcode Fuzzy Hash: 466fd54332fca2719218d08aa27da715f97cb5af32d1087f58e392c0d8d0741d
Instruction Fuzzy Hash: 3F219F71958A8D9FEB81DF28C8557DC3FB0FF59380F5541A6E84CC7152C6389944C781

Function 00007FF8879CEFAD Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0a017a1cfd0b7ff6604cfd74d7f7f8b719e850e034c89ca65c697569510f28
Instruction ID: f0878758215e9cf5926f27e587f7ca931ce4f86ce5540c13cd0fd429a8851ce7
Opcode Fuzzy Hash: 8b0a017a1cfd0b7ff6604cfd74d7f7f8b719e850e034c89ca65c697569510f28
Instruction Fuzzy Hash: 5911C66181CBC85FD795DB2C8855B597BF0FF99344F5445AEE08CC72A2D6388905C712

Function 00007FF8879C4CB9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a2a017cdb7561e5fdfaf20bbe4c96079e93151b3f9de745da604ad36c62ae0
Instruction ID: 5f7fb2167835abe2cfa2300a33f61264ad370dbd4eae2d2df5b671a694ca743c
Opcode Fuzzy Hash: 30a2a017cdb7561e5fdfaf20bbe4c96079e93151b3f9de745da604ad36c62ae0
Instruction Fuzzy Hash: 8F016D719986CD9FDB81AF1888597A83FF0FF55380F1985EAE44CCB152D738A544CB82

Function 00007FF8879C4451 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2691590569.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8879c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605d458cbb121251af558cabbebeb05651038f5c64626a688a99e8d19da8b8fa
Instruction ID: 391fb05163f05174930ca01c8e892fd602badc3410569ed0600f4a19b8c947de
Opcode Fuzzy Hash: 605d458cbb121251af558cabbebeb05651038f5c64626a688a99e8d19da8b8fa
Instruction Fuzzy Hash: 3E11705055C7C55FE3429768885476EBFE0BF9A244F480AEEE0CDDB2A3C62C9504C713

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
file.exe