Edit tour

Windows Analysis Report
sq4TBEDm0b.exe

Overview

General Information

Sample name:	sq4TBEDm0b.exe renamed because original name is a hash value
Original sample name:	5f91a8ddc2c78cb7ddb971ab5ae4a2d4dd2596f5d4e7f017005eafbce8cdf8b3.exe
Analysis ID:	1544735
MD5:	dde7257c1717972d4f8cf9a48288b894
SHA1:	8b458665cebef66127801864dc51c31138023580
SHA256:	5f91a8ddc2c78cb7ddb971ab5ae4a2d4dd2596f5d4e7f017005eafbce8cdf8b3
Tags:	exeuser-FireDark

Errors Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected suspicious sample

Entry point lies outside standard sections

PE file contains an invalid checksum

PE file does not import any functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

sq4TBEDm0b.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\sq4TBEDm0b.exe" MD5: DDE7257C1717972D4F8CF9A48288B894)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.5% probability

Source: sq4TBEDm0b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT

Source:	Binary string: utcutil.pdbGCTL source: sq4TBEDm0b.exe
Source:	Binary string: OsfmConfig.pdb source: sq4TBEDm0b.exe
Source:	Binary string: vstxraid.pdb source: sq4TBEDm0b.exe
Source:	Binary string: utcutil.pdb source: sq4TBEDm0b.exe

Source: sq4TBEDm0b.exe

Static PE information: No import functions for PE file found

Source: sq4TBEDm0b.exe	Binary or memory string: OriginalFilenameutcutil.dllj% vs sq4TBEDm0b.exe
Source: sq4TBEDm0b.exe	Binary or memory string: OriginalFilenamevstxraid.sysb! vs sq4TBEDm0b.exe

Source: sq4TBEDm0b.exe	Binary string: The BootDevice property indicates the name of the disk drive from which the Win32 operating system boots. /nExample: \\Device\Harddisk0.
Source: sq4TBEDm0b.exe	Binary string: MSFT_CliPropertyBootDeviceThe BootDevice property indicates the name of the disk drive from which the Win32 operating system boots. /nExample: \\Device\Harddisk0.BootDevice

Source: classification engine

Classification label: sus22.winEXE@1/0@0/0

Source: sq4TBEDm0b.exe

String found in binary or memory: The local MS DTC detected that the MS DTC on %1 has the same unique identity as the local MS DTC. This means that the two MS DTC will not be able to communicate with each other. This problem typically occurs if one of the systems were cloned using unsupported cloning tools. MS DTC requires that the systems be cloned using supported cloning tools such as SYSPREP. Running 'msdtc -uninstall' and then 'msdtc -install' from the command prompt will fix the problem. Note: Running 'msdtc -uninstall' will result in the system losing all MS DTC configuration information.%0

Source: sq4TBEDm0b.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sq4TBEDm0b.exe

Static file information: File size 8388608 > 1048576

Source: sq4TBEDm0b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sq4TBEDm0b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sq4TBEDm0b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sq4TBEDm0b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sq4TBEDm0b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sq4TBEDm0b.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sq4TBEDm0b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT

Source: sq4TBEDm0b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: utcutil.pdbGCTL source: sq4TBEDm0b.exe
Source:	Binary string: OsfmConfig.pdb source: sq4TBEDm0b.exe
Source:	Binary string: vstxraid.pdb source: sq4TBEDm0b.exe
Source:	Binary string: utcutil.pdb source: sq4TBEDm0b.exe

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: sq4TBEDm0b.exe

Static PE information: real checksum: 0x2b247 should be: 0x80d479

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544735
Start date and time:	2024-10-29 17:04:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sq4TBEDm0b.exe renamed because original name is a hash value
Original Sample Name:	5f91a8ddc2c78cb7ddb971ab5ae4a2d4dd2596f5d4e7f017005eafbce8cdf8b3.exe
Detection:	SUS
Classification:	sus22.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Execution Graph export aborted for target sq4TBEDm0b.exe, PID 6900 because there are no executed function
VT rate limit hit for: sq4TBEDm0b.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Jmaman_##Salary##_Benefit_for_JmamanID#IyNURVhUTlVNUkFORE9NMTAjIw==.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://qH.todentu.ru/FcZpLy/#Obritchie@initusa.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	securedoc_20241028T070148.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
	https://workdrive.zohoexternal.com/file/d3qaw4673940b54374623b165953068c580b5	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	dokument wysy#U0142kowy faktury nr 52-FK-24.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	CARDFACTORYAccess Program, Tuesday, October 29, 2024.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://www.google.mx/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Biw.%C2%ADgc%C2%ADrvn%C2%ADm0.%C2%ADza%C2%AD.c%E2%80%8Bo%C2%ADm%2Ffylee%2Fimages%2Fsf_rand_string_mixed(24)/roger.christenson@steptoe-johnson.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://url5148.librariapena.com/ls/click?upn=u001.GicqFEndYG5aFpuN1ngPufTfXrsQ9xNlNirpytR4MM9aBsYYFODsiAPftWqmKpvrE6ff_B2fWkfszhSflnL0HA3FnQqEKk1HJkizy-2Fud2LEQeI5aha2K2G6ppF2O0bL7D7H7LMN8WGu5xRF2M8uaTM6MXf6DAMaADWmIUL1YqZWKrQh1g-2F0n0cxV2mRrNZEteUwfW5DOdClcZ0c7E-2FIhACBFYnzvVFSnfSt3CZCN7P1EL1QyPVm42KBQGCDp3btvtG-2BbRJha-2FOyJXx-2BDZbno3l2jsvw-2FwkacYeoKE0uINsamNbg0rV0A52QCvn7k6VYTShXjbi9u51Z787-2F01bX1DTA9aSBSP-2FWMLEspaU-2FIdc1x-2FmRDSh7t6BQtQAtVlDsdci-2FkdE5XEzXcy1T7RT1mRx0Z8c0C7T5TxNvH7MOJLp-2BPx4LTMm4cKm4w-2Br4av4rqX3sFI-2B0Z54CPJjpfmgkQpOwbMxDkpsmVoLcKhd8rV7DcMtFguJaotRS3nEWM4vOO-2FegVGhzrwPBH6NjA2esFflr-2FYmA56ZztqyuVYNkq6vFbZhu3qpImgcxi-2BBybDKRWWCy9ZJhz5kW6d7c5iFMdA14shvBlO5oteNsOg1T8Wcd4MIJllivR5RQLa6JKyKUfgK8kF9DoOU4JGzocfITKQs9Z05ET92-2FS1aC5wu-2FuyffXQ4VOTrXPB9d3zUlvAaEdOc87CGa5e4y4lu-2F-2B9njpJqjlihSLoXPx3uHJhhT5l60Eu-2Fd0OnNMVN2uGoOn8P4Kyfxcr-2B3atbrIS84kkAo7VV7ElDHFn2Wn-2B0iZqwoFL1t1YCz2cR3xAkH3Dm45o7ag9bF7tv0L4g2t8v1fAwuiPylHAHkqFOEcwcDndKNNLE7ObrCi0wDxBijc-2FYVZU6-2F0yIfBAmiocABK2NEl2-2F-2FPMERnDYg-3D-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6	Get hash	malicious	Mamba2FA	Browse	13.107.246.45

File type:	PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):	4.482683853769753
TrID:	Win64 Device Driver (generic) (12004/3) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	sq4TBEDm0b.exe
File size:	8'388'608 bytes
MD5:	dde7257c1717972d4f8cf9a48288b894
SHA1:	8b458665cebef66127801864dc51c31138023580
SHA256:	5f91a8ddc2c78cb7ddb971ab5ae4a2d4dd2596f5d4e7f017005eafbce8cdf8b3
SHA512:	36e8a28bcb64d40e4a11381c1dc4ac700c63eb9ca688e371f6efe087bf572e55fbc65c0a3e5b7af4bab39501f9856b4b8b8f830bdbc7dd979e06135a5400d67f
SSDEEP:	12288:iD0R3Ag85iGn01qcm2kWKPPsDsXtkEagDLC3GuVLPJlON0mrFUlo:y0R3Ag85iGn01qcm2kWuPrXtkEaK8OJ
TLSH:	FC869C16ABF59A69E2FA573644F7060208B6BC931D74E01F7047DF8D2CF2B049929B63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode......3.>).._.N... ... .....t.)... .i.!... ...!... .i.#... .i.$... .t..... .t."... .Rich.. .................PE..d......g.........."....&...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140005798
Entrypoint Section:	.data
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	native
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Time Stamp:	0x6705B3A8 [Tue Oct 8 22:35:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
add al, byte ptr [eax]
add byte ptr [eax], al
leave
add eax, 40007000h
add dword ptr [eax], eax
add byte ptr [eax], al
or dword ptr [eax], eax
push eax
mov edi, 00014001h
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnbe 00007F3D15170B62h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc esp
adc dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi+11h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov eax, 00000000h
add byte ptr [eax], al
add byte ptr [eax+eax], ch
add byte ptr [eax], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push eax
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], dl
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e000	0x28	INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f000	0x3c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d000	0x30	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1c400	0x5a18
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xd34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b80	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2a40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x10	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa6	0x200	582212f2cb6eb89bf97a9d1c0835a1ac	False	0.220703125	data	1.8348494848019201	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0xda0	0xe00	cf6b2756316cac9f114d54044bb9020f	False	0.28013392857142855	data	3.1629554398413298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data	0x3000	0x19920	0x19a00	bec96316dbb248cf46d1911c447becda	False	0.06795922256097561	data	3.550893128469934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1d000	0x30	0x200	90ef0c2dd4400c16aa8db62199ff1eb9	False	0.615234375	data	4.226028774932973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
INIT	0x1e000	0x56	0x200	d817f1b7f367d4c2b554b1c5c8750325	False	0.6171875	data	4.271745201926876	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1f000	0x3c8	0x400	75ebc4482da2a2c306ddacdbc990de92	False	0.39453125	data	4.134288022089081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xd34	0xe00	34f36805a63cfd6712d3808a100af519	False	0.13922991071428573	data	4.255614460924902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 17:05:15.397731066 CET	1.1.1.1	192.168.2.6	0xc33a	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 17:05:15.397731066 CET	1.1.1.1	192.168.2.6	0xc33a	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:05:08
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\sq4TBEDm0b.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sq4TBEDm0b.exe"
Imagebase:	0x140000000
File size:	8'388'608 bytes
MD5 hash:	DDE7257C1717972D4F8CF9A48288B894
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sq4TBEDm0b.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: sq4TBEDm0b.exePID: 6900, Parent PID: 4004

General

Chronological Activities

Disassembly

Windows Analysis Report
sq4TBEDm0b.exe