Play interactive tour

Edit tour

Windows Analysis Report oYIQVnvsyG.exe

Overview

General Information

Sample Name:	oYIQVnvsyG.exe
Analysis ID:	483803
MD5:	43c573966b2b1d5d87ecd57eb2a81c33
SHA1:	a08966162e39fa04e39d93b1d121f1bef6b3ec86
SHA256:	d062fa8446a39adb2182c2a506e96801792855bbb0da2a9f278134630a5e5de2
Infos:
Most interesting Screenshot:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

May sleep (evasive loops) to hinder dynamic analysis

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64

oYIQVnvsyG.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\oYIQVnvsyG.exe' MD5: 43C573966B2B1D5D87ECD57EB2A81C33)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: oYIQVnvsyG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: oYIQVnvsyG.exe, 00000000.00000002.239893622.00000000014B2000.00000004.00000020.sdmp

String found in binary or memory: http://go.microsz.R

Source: oYIQVnvsyG.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: oYIQVnvsyG.exe, 00000000.00000000.229505995.0000000000F6A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePWCRLauncher.exe4 vs oYIQVnvsyG.exe
Source: oYIQVnvsyG.exe, 00000000.00000002.239887172.00000000014A9000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs oYIQVnvsyG.exe
Source: oYIQVnvsyG.exe	Binary or memory string: OriginalFilenamePWCRLauncher.exe4 vs oYIQVnvsyG.exe

Source: oYIQVnvsyG.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: oYIQVnvsyG.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File read: C:\Users\user\Desktop\oYIQVnvsyG.exe

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: classification engine

Classification label: clean2.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\oYIQVnvsyG.exe.log

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Jump to behavior

Source: oYIQVnvsyG.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe TID: 6396

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oYIQVnvsyG.exe

Memory allocated: page read and write | page guard

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion21	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
oYIQVnvsyG.exe	2%	Virustotal		Browse
oYIQVnvsyG.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://go.microsz.R	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsz.R	oYIQVnvsyG.exe, 00000000.00000002.239893622.00000000014B2000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483803
Start date:	15.09.2021
Start time:	14:05:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	oYIQVnvsyG.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 27.3% (good quality ratio 27.3%) Quality average: 86.3% Quality standard deviation: 13.5%
HCA Information:	Successful, ratio: 83% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Execution Graph export aborted for target oYIQVnvsyG.exe, PID 6364 because it is empty Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\oYIQVnvsyG.exe.log Download File
Process:	C:\Users\user\Desktop\oYIQVnvsyG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.23028103270434
Encrypted:	false
SSDEEP:	6:Q3LadLCDDXTg+Q+OLC/7OHHHYyVLS71OiOLCMM3RUVb52RsM3RLWJiv:Q3LaJcP0kaHYGLi1B01kKVdisk7v
MD5:	1BD2C34B7EABD73D2C0CDDE3CEE7FDCF
SHA1:	BF6B01758B557773ED227763B3BEC9DA78470DCE
SHA-256:	EC866DF47E958210640D673E172656EE8F000C284FD7EAF60A309F7B4759FCD0
SHA-512:	7A00F54FDBC9E30F53CA8032A1E84599AC943B544E941569763E35BE0BEAC863AEE7E260158B512C2DCF080414173B66E948DD244B579E5EAB0AA14315260945
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.7837838503558805
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	oYIQVnvsyG.exe
File size:	77824
MD5:	43c573966b2b1d5d87ecd57eb2a81c33
SHA1:	a08966162e39fa04e39d93b1d121f1bef6b3ec86
SHA256:	d062fa8446a39adb2182c2a506e96801792855bbb0da2a9f278134630a5e5de2
SHA512:	89c260ac4a42a9b706ed71b6a617d54980a09db5124160149126f3ebdd9d6165903828bf0e253acab04454ead0f58357c2893edb8174b0d11c5f9487d1af29ab
SSDEEP:	384:rvcXSvb3A9/96uiJII+Fv2chVzlzlzlzZehyik9WUZcXVJII+FXwQ5:rvDiF2ac09DZcXViJH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.\.................p............... ........... .......................`............@................................

File Icon


Icon Hash:	daae97d9c8f6c6c6

Static PE Info

General
Entrypoint:	0x1100880e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5C12350C [Thu Dec 13 10:31:40 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x87bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x9528	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6814	0x7000	False	0.231689453125	data	4.02819798601	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x9528	0xa000	False	0.0977783203125	data	2.04158250876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x1000	False	0.008544921875	data	0.0131269437212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa568	0x3228	dBase IV DBT of \200.DBF, blocks size 0, block length 12800, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xd790	0x2e8	data
RT_ICON	0xda78	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0xdba0	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xe008	0x10a8	data
RT_ICON	0xf0b0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON	0x132d8	0x5a	data
RT_VERSION	0xa220	0x344	data
RT_MANIFEST	0x13338	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Honeywell 2017
Assembly Version	4.5.0.11810
InternalName	PWCRLauncher.exe
FileVersion	4.5.0.11810
CompanyName	Honeywell
ProductName	ProWatch
ProductVersion	4.5.0.11810
FileDescription	Complaince Reports Launcher
OriginalFilename	PWCRLauncher.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: oYIQVnvsyG.exe PID: 6364 Parent PID: 5384

General

Start time:	14:06:02
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\oYIQVnvsyG.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\oYIQVnvsyG.exe'
Imagebase:	0xf60000
File size:	77824 bytes
MD5 hash:	43C573966B2B1D5D87ECD57EB2A81C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: oYIQVnvsyG.exe PID: 6364 Parent PID: 5384 oYIQVnvsyG.exeCOMMON

Executed Functions

Function 00007FFAEEE70398, Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

z#ZM, xrefs: 00007FFAEEE704E8

Memory Dump Source

Source File: 00000000.00000002.240977023.00007FFAEEE70000.00000040.00000001.sdmp, Offset: 00007FFAEEE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaeee70000_oYIQVnvsyG.jbxd

Similarity

API ID:
String ID: z#ZM
API String ID: 0-1475669934
Opcode ID: 96bcd3288067113fec105c3de4cb5ed48fde70cbfc1caaa535391fe68b5bfbc6
Instruction ID: fa4d9335739d6fa3b0e0ce38f2ec0a52260f315e7bf8da28cad363f50f692db1
Opcode Fuzzy Hash: 96bcd3288067113fec105c3de4cb5ed48fde70cbfc1caaa535391fe68b5bfbc6
Instruction Fuzzy Hash: 1261C161B0DB8D4FE786AB3C54957647BE1DF5B250B9A40FAD48DCB2D3DC58AC088322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEE70265, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFAEEE702CC

Memory Dump Source

Source File: 00000000.00000002.240977023.00007FFAEEE70000.00000040.00000001.sdmp, Offset: 00007FFAEEE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaeee70000_oYIQVnvsyG.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 49aa483f6860ca0bd80008f893aa13875499cb309c594a717ec5faa71ece5160
Instruction ID: 50416f03714c790cbcbf1a7ab8a7f2ee2d61331ecda18bade1730daa3c12e659
Opcode Fuzzy Hash: 49aa483f6860ca0bd80008f893aa13875499cb309c594a717ec5faa71ece5160
Instruction Fuzzy Hash: 9121C362B0DBCE5FE787972898A02787FA0EF57340B4600F7E48CCB2D3D95899048312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEE70150, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240977023.00007FFAEEE70000.00000040.00000001.sdmp, Offset: 00007FFAEEE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaeee70000_oYIQVnvsyG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f095cec3c289c13664ecd00f0e41fd4c473092c8f267c3bf39779c8d99bc4e3d
Instruction ID: e882c74fe6b7b57ced0f84fa2dcd1719b97abc9e4cc9d8a59672be8145833012
Opcode Fuzzy Hash: f095cec3c289c13664ecd00f0e41fd4c473092c8f267c3bf39779c8d99bc4e3d
Instruction Fuzzy Hash: EBF08270608B4C8FCF44FF2898846A83BE5FB5D315B0542E7D84DCB293DA35D9588711

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report oYIQVnvsyG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: oYIQVnvsyG.exe PID: 6364 Parent PID: 5384

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: oYIQVnvsyG.exe PID: 6364 Parent PID: 5384 oYIQVnvsyG.exeCOMMON

Executed Functions

Function 00007FFAEEE70398, Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Function 00007FFAEEE70265, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Function 00007FFAEEE70150, Relevance: .0, Instructions: 40COMMON

Non-executed Functions