Edit tour

Windows Analysis Report
PH5N7O0v0i.exe

Overview

General Information

Sample name:	PH5N7O0v0i.exe renamed because original name is a hash value
Original sample name:	d6b848fa155783904192cd7a36ae0388217edbf6.exe
Analysis ID:	1542937
MD5:	ae42e4ddb7c36c1ea3e5a997add11009
SHA1:	d6b848fa155783904192cd7a36ae0388217edbf6
SHA256:	b1733e0795d0eb508e3c7619b84ff3122455e5350f3d0e566f551e64b31c3efc
Tags:	dllexeJohnWalkerTexasLoaderJWTLJWTLoaderReversingLabsuser-NDA0E
Infos:

Detection

JohnWalkerTexasLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected JohnWalkerTexasLoader

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Uses Windows timers to delay execution

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

PE file does not import any functions

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PH5N7O0v0i.exe (PID: 5652 cmdline: "C:\Users\user\Desktop\PH5N7O0v0i.exe" MD5: AE42E4DDB7C36C1EA3E5A997ADD11009)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: PH5N7O0v0i.exe PID: 5652	JoeSecurity_JohnWalkerTexasLoader	Yara detected JohnWalkerTexasLoader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PH5N7O0v0i.exe

ReversingLabs: Detection: 23%

Source: PH5N7O0v0i.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: PH5N7O0v0i.exe

Source: PH5N7O0v0i.exe	String found in binary or memory: https://github.com/reproteq/DiffPatchWpf3Copyright
Source: PH5N7O0v0i.exe	String found in binary or memory: https://ipinfo.io/country
Source: PH5N7O0v0i.exe	String found in binary or memory: https://ipinfo.io/ip

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA16B82	0_2_00007FFB4AA16B82
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA15DD6	0_2_00007FFB4AA15DD6
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112D3	0_2_00007FFB4AA112D3
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112FB	0_2_00007FFB4AA112FB
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA1BAFB	0_2_00007FFB4AA1BAFB
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA11300	0_2_00007FFB4AA11300
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA112F8	0_2_00007FFB4AA112F8
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA110AD	0_2_00007FFB4AA110AD
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA111FA	0_2_00007FFB4AA111FA

Source: PH5N7O0v0i.exe

Static PE information: No import functions for PE file found

Source: PH5N7O0v0i.exe, 00000000.00000000.1495108184.00000202E4EF4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs PH5N7O0v0i.exe
Source: PH5N7O0v0i.exe	Binary or memory string: OriginalFilenameDiffPatchWpf.exe2 vs PH5N7O0v0i.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Mutant created: NULL

Source: PH5N7O0v0i.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PH5N7O0v0i.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PH5N7O0v0i.exe

ReversingLabs: Detection: 23%

Source: PH5N7O0v0i.exe

String found in binary or memory: EHH-ADD!IJJoEHH5JKK

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PH5N7O0v0i.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PH5N7O0v0i.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PH5N7O0v0i.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PH5N7O0v0i.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Pictures\DiffPatchWpf-main\obj\x64\Release\DiffPatchWpf.pdb source: PH5N7O0v0i.exe

Source: PH5N7O0v0i.exe

Static PE information: 0xFC4F2E5B [Thu Feb 21 14:34:03 2104 UTC]

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4A8FD2A5 pushad ; iretd	0_2_00007FFB4A8FD2A6
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA173D5 push ecx; retf	0_2_00007FFB4AA173DC
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA1815A push ebx; ret	0_2_00007FFB4AA1816A
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA100BD pushad ; iretd	0_2_00007FFB4AA100C1
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Code function: 0_2_00007FFB4AA17A09 push cs; ret	0_2_00007FFB4AA17A0F

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Memory allocated: 202E5230000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Memory allocated: 202FEC90000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MB9
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E52EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBS

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Users\user\Desktop\PH5N7O0v0i.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PH5N7O0v0i.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E532F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //%ProgramFilews Defender\MsMpeng.exe
Source: PH5N7O0v0i.exe, 00000000.00000002.2760586493.00000202E52BF000.00000004.00000020.00020000.00000000.sdmp, PH5N7O0v0i.exe, 00000000.00000002.2763950096.00000202FF8D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: PH5N7O0v0i.exe, 00000000.00000002.2760709874.00000202E532F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\PH5N7O0v0i.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected JohnWalkerTexasLoader

Source: Yara match

File source: Process Memory Space: PH5N7O0v0i.exe PID: 5652, type: MEMORYSTR

Remote Access Functionality

Yara detected JohnWalkerTexasLoader

Source: Yara match

File source: Process Memory Space: PH5N7O0v0i.exe PID: 5652, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PH5N7O0v0i.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Name	Source	Malicious	Reputation
https://ipinfo.io/country	PH5N7O0v0i.exe	false	unknown
https://github.com/reproteq/DiffPatchWpf3Copyright	PH5N7O0v0i.exe	false	unknown
https://ipinfo.io/ip	PH5N7O0v0i.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542937
Start date and time:	2024-10-26 22:42:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PH5N7O0v0i.exe renamed because original name is a hash value
Original Sample Name:	d6b848fa155783904192cd7a36ae0388217edbf6.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 31 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PH5N7O0v0i.exe, PID 5652 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: PH5N7O0v0i.exe

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.848895688235369
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	PH5N7O0v0i.exe
File size:	235'520 bytes
MD5:	ae42e4ddb7c36c1ea3e5a997add11009
SHA1:	d6b848fa155783904192cd7a36ae0388217edbf6
SHA256:	b1733e0795d0eb508e3c7619b84ff3122455e5350f3d0e566f551e64b31c3efc
SHA512:	3071684ffa914795f3649e38e63ee5f4776c931dc784bb07d4278f5f2ff599b1f5f00977d65a1bd81fd89bc06c2c542423a8ae759b164b828fb274bb705c942f
SSDEEP:	768:d5SMwiB8lu2H26PwqcyU6GRwkIKugg0Apk/OIaEyEb3GOd53BRnW2i38SmFhhzgj:nH8pPhY34zApoePuzhpmy
TLSH:	4234D4ABE32F6809CC2A32F5C8E443B45E605F116E10D6F964BDF2C5123599BFD189AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...[.O..........."...0.................. .....@..... ....................................`...@......@............... .....

File Icon


Icon Hash:	1761174505056997

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFC4F2E5B [Thu Feb 21 14:34:03 2104 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x18ca8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x225f8	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2069b	0x20800	6ab1c716ef350ce91d5698a9a78075a1	False	0.1772986778846154	data	4.27829834292513	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x18ca8	0x18e00	d46f216a7dfee89a5dd1ba2c032f2ffe	False	0.10476209170854271	data	3.1344838579936667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x24180	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3962765957446808
RT_ICON	0x245f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.23381801125703564
RT_ICON	0x256b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23278008298755187
RT_ICON	0x27c68	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.12133915918752952
RT_ICON	0x2bea0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.06113214243463859
RT_GROUP_ICON	0x3c6d8	0x4c	data	0.75
RT_VERSION	0x3c734	0x374	data	0.416289592760181
RT_MANIFEST	0x3cab8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Target ID:	0
Start time:	16:43:17
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\PH5N7O0v0i.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PH5N7O0v0i.exe"
Imagebase:	0x202e4ed0000
File size:	235'520 bytes
MD5 hash:	AE42E4DDB7C36C1EA3E5A997ADD11009
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFB4AA15DD6 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d7c7907aeca74ebc86ac22f98d3d9ca65a54b3c57d48c86f1867d12811ae07
Instruction ID: e429f87ff8f9e9a2150f3ddf8d781b8aa1a68c1d4ecec5e255267f0878c2793f
Opcode Fuzzy Hash: 51d7c7907aeca74ebc86ac22f98d3d9ca65a54b3c57d48c86f1867d12811ae07
Instruction Fuzzy Hash: EBF1B47090CA8E8FEBA9EF28C8557F97BD1FF58310F14426AE84DC7291DB3499458B81

Function 00007FFB4AA16B82 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e432ce3136a4b0026950ca3764e4bd7d89df819fd397c1dd98ac2c03308c95b3
Instruction ID: ba26becd3224e25b2519c1ec1cc9d322d0df9d3846165af20833f1545b258f2c
Opcode Fuzzy Hash: e432ce3136a4b0026950ca3764e4bd7d89df819fd397c1dd98ac2c03308c95b3
Instruction Fuzzy Hash: 4CE1B27090CA8E8FEBA9EF28C8557F97BD1EF54310F14426EE84DC7291CB74A9458B81

Function 00007FFB4AA20441 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ee085f8849ecd68e97a4056df15fe26172d1a20adfc8fad25697804b557487
Instruction ID: e766cf08a096cd0bafeb69707937971af6bbf76f9a3b8f6eb7e50b2de4ea1c0b
Opcode Fuzzy Hash: 33ee085f8849ecd68e97a4056df15fe26172d1a20adfc8fad25697804b557487
Instruction Fuzzy Hash: DF12809070D5864FE74A9B7C90607B5BBD1DF9A344F1806FAE48DCB2D3DC18AC868325

Function 00007FFB4AA1D2C8 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13335baf239b2f525641d06539f2a8a745690c39531aa6165f5b91b56061fdc2
Instruction ID: 34cdfc36c8e4a8699bd4b7138b3a824a80f211ebf63245b0b6be252ae0d8885e
Opcode Fuzzy Hash: 13335baf239b2f525641d06539f2a8a745690c39531aa6165f5b91b56061fdc2
Instruction Fuzzy Hash: 425150F1C0E6AE3AF60A3F7596A60B93E995F11201B6400FBF0D9890C3DD0CB50B52B6

Function 00007FFB4AA16796 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ccf3d70efe8446282b911a719aafa456ab84e45001c8458141d08281d3a39d
Instruction ID: 384f97219c0802f01513f5093179aa6dbfdc15ef2e4df7072e90c407d4809053
Opcode Fuzzy Hash: d8ccf3d70efe8446282b911a719aafa456ab84e45001c8458141d08281d3a39d
Instruction Fuzzy Hash: 70B1D47050CA8D8FEB69EF38C8557F93BE1EF55310F14426EE84DC7292DA3898458B82

Function 00007FFB4AA20A41 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3970a271ce4a5f90f49f430638f6f694c0d379c57d7437cc49235292138027a1
Instruction ID: cddca2590f5f7008ca46b51d833933aa87c4c1cbf35857b1fe8b8b4ce6dd5dd1
Opcode Fuzzy Hash: 3970a271ce4a5f90f49f430638f6f694c0d379c57d7437cc49235292138027a1
Instruction Fuzzy Hash: A691B1B1A0D9494FEB4AEF38D5606B87BE1EF9A344F1401F5D58DC7293CD28AC928361

Function 00007FFB4AA126EF Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc929cf4335a7bcb2e6f45e82bb40b60e8a64496b87f40cb7612c1f5609119db
Instruction ID: 7b583c892bf18d1f1db43c041249e706dbfc1814da447dae01de2dc36a8e11fc
Opcode Fuzzy Hash: fc929cf4335a7bcb2e6f45e82bb40b60e8a64496b87f40cb7612c1f5609119db
Instruction Fuzzy Hash: E181E6B190D6894FE786EF38C8552B97FF1EF56304B1501FAD449CB193EE28984B8361

Function 00007FFB4AA116FA Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6942e2d56fd4dd4687ce6e840e21288058bf7de2649f7e41cc5416804eba16d
Instruction ID: 341e9b3ddc2632d22ac813fdbab04b3527a7197a73085f24d520cc55b2b8ee65
Opcode Fuzzy Hash: d6942e2d56fd4dd4687ce6e840e21288058bf7de2649f7e41cc5416804eba16d
Instruction Fuzzy Hash: D7614BE1A0EA8A5FE746AF3C85692B5BFD1EF5A300B1801FAD44DCB283DD146C478361

Function 00007FFB4AA1C5D3 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db87bb79b8edd4ca7908a5df4b39f48525d347376ccf06424fe9f8610f0d0754
Instruction ID: a4ed85103eb8dce2d201f9a8276b642c4dee2d974af3c309000509584b57e6a3
Opcode Fuzzy Hash: db87bb79b8edd4ca7908a5df4b39f48525d347376ccf06424fe9f8610f0d0754
Instruction Fuzzy Hash: A2510076A0D66A6AE351FFBCF4411F87FA4CF45334B1841B7D98CCA093ED19348682A4

Function 00007FFB4AA17F1D Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786eb2d72379183f3e1d347526b908668b44ecfde7df9c87b138ce3335a92fb6
Instruction ID: efb0ac035f6d3678726e008259f47c3ccbec7c5e204cc99f992087d29baf2d1e
Opcode Fuzzy Hash: 786eb2d72379183f3e1d347526b908668b44ecfde7df9c87b138ce3335a92fb6
Instruction Fuzzy Hash: D361A1D1D0E6CB5FE743AF3888651A6BFA0EF6720575900E2D8C8CB193ED14684AC770

Function 00007FFB4AA136CC Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d18e0518142b0fa6047fce107162056c586f20f5e14795f5aee0541b6754a0a
Instruction ID: b7dc60ede81e469ba429c6b7de471aa384c63a96cca1b6ec373309c9216bc52e
Opcode Fuzzy Hash: 5d18e0518142b0fa6047fce107162056c586f20f5e14795f5aee0541b6754a0a
Instruction Fuzzy Hash: 9A51C571908A1C8FDB68DF28D845BE9BBF1FF58310F0082AAD44DD3252DE34A9858F81

Function 00007FFB4AA106B5 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4e9704d5498d4f51a188b4ad27a30c84aaef97ddb3d6de2d57056edb0fb433
Instruction ID: 79cf9e14a6dc143a3defd9d715b4e394054ecbd1f7548888b1ca968e2bce03fa
Opcode Fuzzy Hash: 7f4e9704d5498d4f51a188b4ad27a30c84aaef97ddb3d6de2d57056edb0fb433
Instruction Fuzzy Hash: 2C51D2A790E7DA5FE3036B7CA9B91E93F54DF9226570901FBC4C48E0A7EC18584B8391

Function 00007FFB4AA1C700 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7812660d76956e47b932c1396d9b3260862bd1a1d9dd2fdc0292bcfa85d0ea01
Instruction ID: 0dcaea4880ea424144e9db84d633cac556b1b345ef6d12e0b675b9b87f46334d
Opcode Fuzzy Hash: 7812660d76956e47b932c1396d9b3260862bd1a1d9dd2fdc0292bcfa85d0ea01
Instruction Fuzzy Hash: 205124B2A0CA5E5FE791EF7CD8956F87BE0EF59710B1401BAD44CC3292DE24AC428390

Function 00007FFB4AA1B4A4 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5a0cca2dba3bf7a4d6e5db0a7b08c7d13a346976f360123879e75ddc804464
Instruction ID: b04f90eb8a6f0f8654bece999f1362af51a6716b8cbe599987895b3be64f18e6
Opcode Fuzzy Hash: 9d5a0cca2dba3bf7a4d6e5db0a7b08c7d13a346976f360123879e75ddc804464
Instruction Fuzzy Hash: B8511C7090DB8C8FDB98EF58D889AA9BBE0FB69311F10412EE549C3252C770A845CB91

Function 00007FFB4AA10710 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3594e5587f5b49be58804c4034087460c99e296d4998c83756bb87c09ac507cc
Instruction ID: 18b2263bb05e66cda9def227986bb8ca602293bf7a7ec354468ccc68d08f3409
Opcode Fuzzy Hash: 3594e5587f5b49be58804c4034087460c99e296d4998c83756bb87c09ac507cc
Instruction Fuzzy Hash: 3951E1A7A0E7DA5FE3036B3CA9B51E93F54DF9262570901F7C4C48E0A3EC18184B8391

Function 00007FFB4AA17FAD Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481ab2f7d4e036ef410d1ea9cc2b11e1c392f40a4e7b0c4063bdaeb8d08475fd
Instruction ID: 695898843d4eee6f6453a38f9172d52b69820ca82a41e7480b8edae9e74f0677
Opcode Fuzzy Hash: 481ab2f7d4e036ef410d1ea9cc2b11e1c392f40a4e7b0c4063bdaeb8d08475fd
Instruction Fuzzy Hash: 3651C191D0E6CB1FE747AB3C88601A5BFB1EF5B20474905E2D9C8CB197ED24A946C330

Function 00007FFB4AA127E8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4a33800768af9b2c5dc5dba7e7c705092990446aa947fead19e9d9762e5ce9
Instruction ID: 090ca83e7bdb7c71e7b8851792497304b2b3c8c1958538a5e7e7cbdebc1d6365
Opcode Fuzzy Hash: 0f4a33800768af9b2c5dc5dba7e7c705092990446aa947fead19e9d9762e5ce9
Instruction Fuzzy Hash: B84191B1A1890E5FEB95FF3CC5552B97BE1EF99304B1400B5D80DDB292DE28EC4687A0

Function 00007FFB4A8FE2D3 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765316959.00007FFB4A8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A8FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4a8fd000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bf318686d4490bd3741897b168f37e112402e222c59ea286a0ffd96a6e1819
Instruction ID: 9f31c355f58d48c7a1df112a9af4c764ce2173b80162791bbb3e27847e88db7d
Opcode Fuzzy Hash: c5bf318686d4490bd3741897b168f37e112402e222c59ea286a0ffd96a6e1819
Instruction Fuzzy Hash: 8141E77180DBC54FE7569F38D8459523FF4EF56320B1906EFE088CB1A3D629A846C792

Function 00007FFB4AA1F49D Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b11400a63188fb4684e651dd1a361b09cdba5ba9d9968d3be1e52c57418ba23
Instruction ID: 966c7b5127b7962cd50d84b95f96b7dd4e836488351ee1ad307485bd889198ef
Opcode Fuzzy Hash: 0b11400a63188fb4684e651dd1a361b09cdba5ba9d9968d3be1e52c57418ba23
Instruction Fuzzy Hash: 08417F70908A4C8FDB58EFA8D845BEDBBB1FB59311F00816ED00DD7292DB75A486CB41

Function 00007FFB4AA125A8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64bf82aefa1a65eadde02b8681d902f3c420ad5bff7e19c4dbaf57cabbdb276
Instruction ID: 787e142ea3a82f5c9b45f41f1fea6d1b4b6d01f63f4ebc15c47dbd7b4a201cd3
Opcode Fuzzy Hash: c64bf82aefa1a65eadde02b8681d902f3c420ad5bff7e19c4dbaf57cabbdb276
Instruction Fuzzy Hash: D5316070A0C54E0FEB8ABB3891143B86B91CF66348F6400F5D8ACCB5D3EE189C978361

Function 00007FFB4AA202DD Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcb315381dfff767408a92419e1b31bc86a4d40d4f8e2756a4609d339c9f1f4
Instruction ID: 53298b0a8f89b841b1915ade6167804485b99c71b658d4688bdfae087ea7768b
Opcode Fuzzy Hash: 9bcb315381dfff767408a92419e1b31bc86a4d40d4f8e2756a4609d339c9f1f4
Instruction Fuzzy Hash: 3B31AE92A0DA8A4FF746BF7899252B87BD4EF56700F5401FAE448C72D3ED186C068362

Function 00007FFB4AA1C550 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82a8db72f0ca3f38dbbfb9d01057624b64d413962c39bd223049a3cda3f0ea9
Instruction ID: 2f4fae6641f067985f603c325b26297d938ade5c9ae66b70765be6d50bd313d1
Opcode Fuzzy Hash: d82a8db72f0ca3f38dbbfb9d01057624b64d413962c39bd223049a3cda3f0ea9
Instruction Fuzzy Hash: FA21D677A0D52B76E2557F7DF8011F96B85DF81330B644177DA8CCA043E809748B42D4

Function 00007FFB4AA1D835 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02558e6f7f69216298393e9877e58d9a8392e6691e85e9c38ef1360980920de3
Instruction ID: 232a794690bf3b40fcf8b30e51dffa09910b7a99830f3014a30ffc2371b6a8bc
Opcode Fuzzy Hash: 02558e6f7f69216298393e9877e58d9a8392e6691e85e9c38ef1360980920de3
Instruction Fuzzy Hash: 7B2137A260DE890FE386AA7C8C592757FD1DF9622070842FBC488C75D3CC08DD0683D1

Function 00007FFB4AA1816B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb87509e145dcef8f0f0498e67514dd0ebc1f769b829df69d2afd293f9976f5
Instruction ID: e3cfb47bd8f07fa608685b19b250f37e54d13560a6a8639fb3937df90f21339d
Opcode Fuzzy Hash: fdb87509e145dcef8f0f0498e67514dd0ebc1f769b829df69d2afd293f9976f5
Instruction Fuzzy Hash: BF11BFA7E0E6C65FE743EF7C9C651E17F20DF6624670800F7D988CA093E809540A83B2

Function 00007FFB4AA1C878 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0266fc34c205c787afd694af182329a8889239d4587c1524fba8617d3bcd7cf
Instruction ID: b221c8782a4b9060ab8c114ba515df1eab927370ea2257571f4c6c8cde1e2935
Opcode Fuzzy Hash: e0266fc34c205c787afd694af182329a8889239d4587c1524fba8617d3bcd7cf
Instruction Fuzzy Hash: 9801F7B2B0CA5D4FDB54EF6CA8911F87BE1EF4970071401EAD04EC7292DE15AC4283D1

Function 00007FFB4AA18135 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cee0f2e6723387e5887660578f522612764e0113c8e07d445d22e64c66d35e3
Instruction ID: a16c4a649e906938325253f1591ef70934f50a04bd3793a5328febd66d08ada8
Opcode Fuzzy Hash: 2cee0f2e6723387e5887660578f522612764e0113c8e07d445d22e64c66d35e3
Instruction Fuzzy Hash: D3F0C295A1E3CB0FE743AB388C211A57F70EF5B251B8904F3D488CB093ED0C684A8362

Function 00007FFB4AA1CA40 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e0189fe60620b602308feb1c5ef484b5ec330c283e188c631d7b85651be3fc
Instruction ID: ebe5abd6f6c068e55a71ff04365df77b662a39ad74c9dc3db66bb0d8e124c445
Opcode Fuzzy Hash: e0e0189fe60620b602308feb1c5ef484b5ec330c283e188c631d7b85651be3fc
Instruction Fuzzy Hash: A6F017A280E7E11FE32B5F7858651A03FA09B03511B0E01EBC8C8CB1E3D40C5D8983A3

Function 00007FFB4AA1C535 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5c0f1a953fb83bfaabc2fc2643c1163b5342143db794662ee737e3f10951c4
Instruction ID: d6881e9b6e1145c77f5ff83879fbebeedc5ea6f921fe5dc1a082a675bcf64555
Opcode Fuzzy Hash: fb5c0f1a953fb83bfaabc2fc2643c1163b5342143db794662ee737e3f10951c4
Instruction Fuzzy Hash: 76F05452A4DBCA1FE7556F3C5D581B82EC5AF55361F9C01FDC048C71D3D80D88064310

Function 00007FFB4AA1CA29 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f8ee9cc713d4432dc38fd86ba280d72af8942d31a99f48da93782e15d65b12
Instruction ID: 4dc79239faeebdf4ea780465f080b03f497ebd756080bfe6881015146d742605
Opcode Fuzzy Hash: f2f8ee9cc713d4432dc38fd86ba280d72af8942d31a99f48da93782e15d65b12
Instruction Fuzzy Hash: B4F0E9A2D0D5A61BF769BE7CA9552F42DC1D740611F4C00F6D888871C2D84D5DC54391

Function 00007FFB4AA1F45D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17ce83015835bc149c1281487963c279a4d7458d82313fb8697bcdbcc34ef54
Instruction ID: 8b3b891abba3ba98ce9d25dcbcc52d7aa9b1d11de6f3942034494fe8de88b8cd
Opcode Fuzzy Hash: a17ce83015835bc149c1281487963c279a4d7458d82313fb8697bcdbcc34ef54
Instruction Fuzzy Hash: DCE02271C0C68C6FDB01FF74C8564FDBFA0EF55300F8001E7E409CA092EA289A198781

Function 00007FFB4AA1D101 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d540b033ff4f8073a927bc35a89675f2649217de4adccbb996aad611f629efcb
Instruction ID: 8e21f4a71634ae3fe4f5a909b5f9223519c545f9387613f64e77563e8e85e8a3
Opcode Fuzzy Hash: d540b033ff4f8073a927bc35a89675f2649217de4adccbb996aad611f629efcb
Instruction Fuzzy Hash: B9E086E284E7D62FE7525A754C2A2947F407F16211B8C42FFC4848F5D3D90D58459762

Non-executed Functions

Function 00007FFB4AA112FB Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

1O_^, xrefs: 00007FFB4AA11301

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID: 1O_^
API String ID: 0-2749740877
Opcode ID: c66f3e1665835d7b20affc046f46a33695233d869b3a3cb39335714132c4e38d
Instruction ID: 7cae67a9267b090633c4c920b3b70e68c91df08a1b9c23e2a936137370eeab89
Opcode Fuzzy Hash: c66f3e1665835d7b20affc046f46a33695233d869b3a3cb39335714132c4e38d
Instruction Fuzzy Hash: F831E7BB90E7929FD703AF3CE5A50E57F24DF8322531900FBC685CA463E91528468765

Function 00007FFB4AA112F8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

1O_^, xrefs: 00007FFB4AA11301

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID: 1O_^
API String ID: 0-2749740877
Opcode ID: 6cb60a94687f12ac7dcc8f842e0247cb5732e6010b0efd2f4ce366cd4acb39e8
Instruction ID: de081341f184a3533c72032572eaa97b00cff6c37c94d6fc0f8d21c62dd91d83
Opcode Fuzzy Hash: 6cb60a94687f12ac7dcc8f842e0247cb5732e6010b0efd2f4ce366cd4acb39e8
Instruction Fuzzy Hash: BF31F5BB90E7929FE703AF3CE5A50E57F24DF8222531900FBC584CA463E91528468365

Function 00007FFB4AA1BAFB Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a656995d77272b964ff272c57888688987b5f1d29615d05f91f1285436f45e
Instruction ID: e458c8894e9394d72e1f7cafc233f9e3b76cbfb7a64d325dd498f5d748619d1f
Opcode Fuzzy Hash: 48a656995d77272b964ff272c57888688987b5f1d29615d05f91f1285436f45e
Instruction Fuzzy Hash: A14216D280EBC26FE356AEB88D151B5BFA4AF5625472C00FFD0C84B0D7D8599D0E8396

Function 00007FFB4AA110AD Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8175baababcb7441968471c524511e17067b5d5b6c5fe92a5e3d659496b576ec
Instruction ID: 13c5cf7c6c878504a8524c012062e023982f35d7b93e71d6b2b50ce84127ebb8
Opcode Fuzzy Hash: 8175baababcb7441968471c524511e17067b5d5b6c5fe92a5e3d659496b576ec
Instruction Fuzzy Hash: 051209ABA0EBD65FE312AE7DE9550E53F54EF9223571900FBC5C4CA093E905284B83B1

Function 00007FFB4AA111FA Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc913267df8e971a2319ea4867f7980dac3fbd6245a8cd7c65a53b8e24cec33
Instruction ID: e95890c0280230e3a94576a695d01911f3e82641030355e8fa44f14d4b66edd1
Opcode Fuzzy Hash: 3cc913267df8e971a2319ea4867f7980dac3fbd6245a8cd7c65a53b8e24cec33
Instruction Fuzzy Hash: 2E51F27BA0D663DBE702BF3DF5551E57B24EF8233535804B7C984CE053E915388A86A4

Function 00007FFB4AA112D3 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd69bfb27e1da6223ff023af6f0106de860b26a71af14d1a01ed56234012a3c0
Instruction ID: 5ff41f1b4b84a0e599364a06e7be614b1ee885761ed871a126039e7e54ad3e8d
Opcode Fuzzy Hash: fd69bfb27e1da6223ff023af6f0106de860b26a71af14d1a01ed56234012a3c0
Instruction Fuzzy Hash: 7941F67B60E7A29FD303AF3CE5A50E57F24DF8227531900FBC684CA463D905284B82A5

Function 00007FFB4AA11300 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589a5fe112a7ca2ea535c72ec4bf4c83ce19d3c57fe1d1cb32d891822feae99b
Instruction ID: 98a1866f18c8e35cad4e7283d108d40e396a1259e75bbb99d7abcc0dfbd0b2bb
Opcode Fuzzy Hash: 589a5fe112a7ca2ea535c72ec4bf4c83ce19d3c57fe1d1cb32d891822feae99b
Instruction Fuzzy Hash: CC31F4BB90E793DFE703AF3CE5A90E57F24DF8222531900FBC584CA463E915284687A5

Function 00007FFB4AA188F2 Relevance: 7.6, Strings: 6, Instructions: 108COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFB4AA189C9
N_^, xrefs: 00007FFB4AA18912
N_^, xrefs: 00007FFB4AA18922
N_^, xrefs: 00007FFB4AA1897A
N_^, xrefs: 00007FFB4AA1896A
N_^, xrefs: 00007FFB4AA188F2

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^$N_^
API String ID: 0-1364355708
Opcode ID: b3d84a46753cc9fbd15f4714b9721a0531c81c54212653b49adc17efea00c045
Instruction ID: 3167fb8c6df519e23d17a40acbafa7ef06bd238e4b5e4231034ab74e28eef9ad
Opcode Fuzzy Hash: b3d84a46753cc9fbd15f4714b9721a0531c81c54212653b49adc17efea00c045
Instruction Fuzzy Hash: 63313FE2D0EACA2FE7566EB98DA90716F94EF3A64471D00F2C5D84B193FC0A18074767

Function 00007FFB4AA18AFA Relevance: 6.4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFB4AA18AFA
N_^, xrefs: 00007FFB4AA18B6A
N_^, xrefs: 00007FFB4AA18B2A
N_^, xrefs: 00007FFB4AA18B7A
N_^, xrefs: 00007FFB4AA18BC9

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: 087340bdf023bbd3c3f402e1a577a0974f75218211697dcfc43530017da20f9e
Instruction ID: 41c916f2bb4b40c51592fb1f8ebf02de61ff6f6e547bf7dcf667e304c007fc01
Opcode Fuzzy Hash: 087340bdf023bbd3c3f402e1a577a0974f75218211697dcfc43530017da20f9e
Instruction Fuzzy Hash: CF31B9F3D0DAD62EF3616EB99DE90791F94EF3974A72900F6C1954B083EC0A28074267

Function 00007FFB4AA189FA Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFB4AA18A2A
N_^, xrefs: 00007FFB4AA189FA
N_^, xrefs: 00007FFB4AA18A6A
N_^, xrefs: 00007FFB4AA18AC9
N_^, xrefs: 00007FFB4AA18A7A

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: 2bc3e41258cd5245b7fb7a8f8f8ac0a6c5d4121bc975c9fb939b8eac877f0a63
Instruction ID: 8d8aa54a939f71d51c346a61f66697bcae1236f8b8ee9d93a6dbfa1f8b98502e
Opcode Fuzzy Hash: 2bc3e41258cd5245b7fb7a8f8f8ac0a6c5d4121bc975c9fb939b8eac877f0a63
Instruction Fuzzy Hash: 103190E2D0DAC72FE365AEB98DA90B16F94FF2975571E01F6C1944A093E818184742B3

Function 00007FFB4AA18BFA Relevance: 5.1, Strings: 4, Instructions: 124COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFB4AA18C2A
N_^, xrefs: 00007FFB4AA18C7A
N_^, xrefs: 00007FFB4AA18C6A
N_^, xrefs: 00007FFB4AA18BFA

Memory Dump Source

Source File: 00000000.00000002.2765835199.00007FFB4AA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aa10000_PH5N7O0v0i.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: eebbd75e9ea61fdad1c7c90cea33b8cb8dc884a51f22ab254e588c4b12cee27b
Instruction ID: 1257421f355fba2b744fd683d4ff2bcf467aa1456d3c7a5dfa4a9cdff69433e9
Opcode Fuzzy Hash: eebbd75e9ea61fdad1c7c90cea33b8cb8dc884a51f22ab254e588c4b12cee27b
Instruction Fuzzy Hash: 6A31A9F790EAC61FE353AE798DA91A22F95FF35285B1900F6C1C487093E819184B4292

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PH5N7O0v0i.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: PH5N7O0v0i.exePID: 5652, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: PH5N7O0v0i.exePID: 5652, Parent PID: 4084COMMON

Executed Functions

Function 00007FFB4AA15DD6 Relevance: .5, Instructions: 474COMMON

Windows Analysis Report
PH5N7O0v0i.exe