Edit tour

Windows Analysis Report
PSemuX-7z2201-x64_686356.exe

Overview

General Information

Sample name:	PSemuX-7z2201-x64_686356.exe
Analysis ID:	1354807
MD5:	4c429162a2ff252feae81d485ee83ed4
SHA1:	9d97515b3f7ccf3f790a00e229b3bb85278e0779
SHA256:	05c2b596bd45efb00333097363872047f6cb67f2e9aae91ee600ab916f6fa80b
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Enables debug privileges

JA3 SSL client fingerprint seen in connection with other malware

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64

PSemuX-7z2201-x64_686356.exe (PID: 2516 cmdline: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe MD5: 4C429162A2FF252FEAE81D485EE83ED4)

cleanup

Joe Sandbox Signatures

• Cryptography
• Compliance
• Networking
• System Summary
• Boot Survival
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PSemuX-7z2201-x64_686356.exe, 00000000.00000000.2061283961.00000000013F3000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_c3c0a1fb-c

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 104.26.6.197:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /44A6538B354E964A/58465704911/6F981813D58FB801/70188202322?6D6E5385A14D8AFE1701882023 HTTP/1.1Host: highinstaller.comUser-Agent: NSIS_InetLoad (Mozilla)Accept: */*

Source: unknown

DNS traffic detected: queries for: highinstaller.com

Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: PSemuX-7z2201-x64_686356.exe, 00000000.00000003.2230928870.000000000166C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://highinstaller.com/44A6538B354E964A/58465704911/6F981813D58FB801/70188202322?6D6E5385A14D8AFE
Source: PSemuX-7z2201-x64_686356.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 104.26.6.197:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: PSemuX-7z2201-x64_686356.exe, 00000000.00000000.2061351176.000000000144A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs PSemuX-7z2201-x64_686356.exe
Source: PSemuX-7z2201-x64_686356.exe	Binary or memory string: OriginalFilename7z.sfx.exe, vs PSemuX-7z2201-x64_686356.exe

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean1.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

File created: C:\Users\user\AppData\Roaming\7zip

Jump to behavior

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PSemuX-7z2201-x64_686356.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s %u %s %s %u "%d%02d%02d %02d:%02d:%02d" %u %d

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

File read: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

Jump to behavior

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: 7-Zip Help.lnk.0.dr	LNK file: ..\..\..\..\..\7zip\7-zip.chm
Source: 7-Zip File Manager.lnk.0.dr	LNK file: ..\..\..\..\..\7zip\7zFM.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: certificate valid

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PSemuX-7z2201-x64_686356.exe

Static file information: File size 15006952 > 1048576

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xc91800

Source: PSemuX-7z2201-x64_686356.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: PSemuX-7z2201-x64_686356.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: PSemuX-7z2201-x64_686356.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PSemuX-7z2201-x64_686356.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7-Zip	Jump to behavior
Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk	Jump to behavior
Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk	Jump to behavior

Source: PSemuX-7z2201-x64_686356.exe, 00000000.00000003.2230928870.000000000166C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PSemuX-7z2201-x64_686356.exe, 00000000.00000003.2073821372.000000000167C000.00000004.00000020.00020000.00000000.sdmp, PSemuX-7z2201-x64_686356.exe, 00000000.00000003.2073603501.0000000001679000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT!u
Source: PSemuX-7z2201-x64_686356.exe, 00000000.00000003.2230928870.000000000166C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe	Process token adjusted: Debug			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://ocsps.ssl.com0?	0%	URL Reputation	safe
http://ocsps.ssl.com0	0%	URL Reputation	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
https://highinstaller.com/44A6538B354E964A/58465704911/6F981813D58FB801/70188202322?6D6E5385A14D8AFE	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
https://highinstaller.com/44A6538B354E964A/58465704911/6F981813D58FB801/70188202322?6D6E5385A14D8AFE1701882023	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
highinstaller.com	104.26.6.197	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://highinstaller.com/44A6538B354E964A/58465704911/6F981813D58FB801/70188202322?6D6E5385A14D8AFE1701882023	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	PSemuX-7z2201-x64_686356.exe	false		high
https://curl.se/docs/hsts.html	PSemuX-7z2201-x64_686356.exe	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	PSemuX-7z2201-x64_686356.exe	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	PSemuX-7z2201-x64_686356.exe	false		high
https://curl.se/docs/http-cookies.html	PSemuX-7z2201-x64_686356.exe	false	Avira URL Cloud: safe	unknown
https://highinstaller.com/44A6538B354E964A/58465704911/6F981813D58FB801/70188202322?6D6E5385A14D8AFE	PSemuX-7z2201-x64_686356.exe, 00000000.00000003.2230928870.000000000166C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	PSemuX-7z2201-x64_686356.exe	false		high
http://ocsps.ssl.com0?	PSemuX-7z2201-x64_686356.exe	false	URL Reputation: safe	unknown
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	PSemuX-7z2201-x64_686356.exe	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	PSemuX-7z2201-x64_686356.exe	false		high
http://ocsps.ssl.com0	PSemuX-7z2201-x64_686356.exe	false	URL Reputation: safe	unknown
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	PSemuX-7z2201-x64_686356.exe	false		high
https://curl.se/docs/alt-svc.html	PSemuX-7z2201-x64_686356.exe	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	PSemuX-7z2201-x64_686356.exe	false		high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	PSemuX-7z2201-x64_686356.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.6.197	highinstaller.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1354807
Start date and time:	2023-12-06 17:59:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PSemuX-7z2201-x64_686356.exe
Detection:	CLEAN
Classification:	clean1.winEXE@1/2@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PSemuX-7z2201-x64_686356.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Thank You for your interest.eml	Get hash	malicious	Unknown	Browse	104.16.126.175
	MRKU8781602.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PO.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	MSG831006356.html	Get hash	malicious	HTMLPhisher	Browse	104.22.59.100
	Revised_PO3923447.pdf.exe	Get hash	malicious	FormBook	Browse	172.67.159.240
	file.exe	Get hash	malicious	FormBook	Browse	104.21.72.220
	QUOTATION.PDF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Purchase_Order_#PO30086.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Y97STVZCPZC12AQ-0315904351-pdf.exe	Get hash	malicious	AgentTesla	Browse	162.159.128.233
	Signed_PO.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PO_0206201.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	https://onelaunch.com/download	Get hash	malicious	Unknown	Browse	104.18.23.62
	http://mecapantincendio.it	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://lp.constantcontactpages.com/ev/reg/y793q5y/lp/f6b4fe10-7884-4304-a170-ea90347851f4	Get hash	malicious	Unknown	Browse	162.247.243.29
	https://lovegemini.co.uk/fc.PDF	Get hash	malicious	Unknown	Browse	104.17.3.184
	ATT00001.htm	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	ksbqaf .html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://t.co/cYottgMrB8	Get hash	malicious	Phisher	Browse	172.67.177.226
	ATT00001.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://content.indeed.com/Njk5LVNYSi03MTUAAAGPvBA5Y9iCQ3O82prO99h2K94Ru8_B-yEEqR8gRDx3Rho1w9vUKCSRFIyBJwLi8DCtE0_lxls=	Get hash	malicious	Unknown	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	_.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	_.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	22382_327.js	Get hash	malicious	LummaC Stealer	Browse	104.26.6.197
	fences-1.0.1.0.0-installer_t-TafY1.exe	Get hash	malicious	CobaltStrike	Browse	104.26.6.197
	avast_vpn_online_setup.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.26.6.197
	Microstub.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	Microstub.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	6UqqC9EHFA.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	baofeng15.0.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	PDFViewer_44727842.msi	Get hash	malicious	Unknown	Browse	104.26.6.197
	4496tHOPrYDQuhscyVqEZcbCBRRq.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	4496cCQpJVwUDGHVYSnxwLRoEIMF.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	Chrome_update(1).js	Get hash	malicious	Unknown	Browse	104.26.6.197
	Chrome_update(1).js	Get hash	malicious	Unknown	Browse	104.26.6.197
	4496iKzQhkhlziKzdxfRihzUykrn.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	telegram_cxcLf.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	CKlO7ANp5J.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	MoQlNbG9Iu.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	http://104.156.149.33/yes/4496EOhNFImHEZOIsrnCCTmYaysV.exe	Get hash	malicious	Unknown	Browse	104.26.6.197
	xE5YAGNf32.exe	Get hash	malicious	Unknown	Browse	104.26.6.197

Process:	C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	888
Entropy (8bit):	2.963904264096373
Encrypted:	false
SSDEEP:	12:8gl0ARsXU1e/tz0/CSLWXuhKBkMESBgCNfBf4t2YZ/elFlSJm:8jvWLWehKBTfBpjqy
MD5:	FD71B328BEF69A26080A3EE360EC1735
SHA1:	7C735DC3B5248FE03BF2B67A098CCE4AD972EE04
SHA-256:	48B952FC64216B625E6C620738CFC85A8C97193C661AC564400EDF329EB244F1
SHA-512:	4A90D662FA96A70A0AA730AA166BB4765C8A39D7958C13F0CEB4FB4F0EB4B1541F152F0AD669AD63EC36E78B4E8B4D98A1BB08AA54F4D96E8841FDDED54B408B
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................'....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....N.1...........7zip..:............................................7.z.i.p.....Z.2...........7zFM.exe..B............................................7.z.F.M...e.x.e.............\.....\.....\.....\.....\.7.z.i.p.\.7.z.F.M...e.x.e.............}.............>.e.L.:..er.=}...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk

Download File

Process:	C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	892
Entropy (8bit):	2.965325705818322
Encrypted:	false
SSDEEP:	12:8gl02sXU1e/tz0/CSLWXuhK1cq6RWUlCNfBf4t2YZ/elFlSJm:8dvWLWehKxglkjqy
MD5:	44D122BB274045329CC731C9AB0C1829
SHA1:	70318C04910C87A0EA4C0D9D36540C5FAB120ECC
SHA-256:	7D048E1A89BBE833DFFAB42C8F88413CECD5E9118743B7EE725E30B8E375D48B
SHA-512:	4126A7A635C3D4188B187D8F1C721F7B2F868E70F0698C1E6CF87A6EB9E123FA9903CB7DD7014617EB44962E74916A8F27EA915EA7BCBC564FF47F52CC5AECA5
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................)....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....N.1...........7zip..:............................................7.z.i.p.....\.2...........7-zip.chm.D............................................7.-.z.i.p...c.h.m.............\.....\.....\.....\.....\.7.z.i.p.\.7.-.z.i.p...c.h.m.............}.............>.e.L.:..er.=}...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.0570215910645775
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PSemuX-7z2201-x64_686356.exe
File size:	15'006'952 bytes
MD5:	4c429162a2ff252feae81d485ee83ed4
SHA1:	9d97515b3f7ccf3f790a00e229b3bb85278e0779
SHA256:	05c2b596bd45efb00333097363872047f6cb67f2e9aae91ee600ab916f6fa80b
SHA512:	82b7ac00c59cb1b409559c4be8e697f5fe9005773b033931d92d359483d81890b827af3144ffc63b9fe5808c14e1aa057b9350a7c53405c267c6e24a4cf8c6cc
SSDEEP:	393216:qtIFYL6tUPTRbaBRNOEVTLXcPDuOIUVDzQHTzrIBo9PIBo9HIBo9vIBo9IIBo9Pd:qtIFYL6tUPTRbaBRNOEVTLXcb1QHTzrc
TLSH:	08E67FD8B253F449E3D404A1251576D84A431D357B25DAE87F8327E82A2C18AFEF1F3A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.or...!...!...!...!...!.y.!...!...!/..!s.. ...!s.. ...!s.. ...!s.. ...!.y.!...!... ...!... ...!... ...!...!...!...!...!... ...

File Icon


Icon Hash:	b8868baba9aba2d8

Static PE Info

General

Entrypoint:	0x1018552
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6532818F [Fri Oct 20 13:33:03 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	73f4ae5a1cdfbec53be5180e242a288b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	28/10/2022 20:52:48 21/10/2023 17:32:41
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization, CN=Digital Doc Inc., SERIALNUMBER=1411858-8, O=Digital Doc Inc., L=Etobicoke, S=Ontario, C=CA
Version:	3
Thumbprint MD5:	C5C31184597D7BDCFB805D727F602D58
Thumbprint SHA-1:	FA79EE1810D4CCE467D56C1B4C530947910D0847
Thumbprint SHA-256:	5376906F26B3B498BA4FA42A74B303A4457F74FB5F52BDB57EC27DF0F2054D93
Serial:	4CB7A2BDF02529EC744228C083B5AAE8

Entrypoint Preview

Instruction
call 00007F6AB06CC0A0h
jmp 00007F6AB06CBAAFh
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 010BE868h
mov dword ptr [ecx], 0109817Ch
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F6AB06CBC0Fh
push 010DF48Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F6AB071CC33h
int3
jmp 00007F6AB071FF13h
push ebp
mov ebp, esp
and dword ptr [010E6844h], 00000000h
sub esp, 24h
or dword ptr [010E2084h], 01h
push 0000000Ah
call dword ptr [010930F4h]
test eax, eax
je 00007F6AB06CBDDFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebx+04h], esi
or eax, edi
or eax, dword ptr [ebp-08h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcdfd74	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcea000	0x2008	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe4df20	0x1dc8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xced000	0x2229c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcd6d2c	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xcd6d48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc93000	0x4e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc916ad	0xc91800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc93000	0x4e676	0x4e800	False	0.3892472382563694	data	5.5843990126044964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xce2000	0x7340	0x2200	False	0.22518382352941177	data	4.51016770081089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xcea000	0x2008	0x2200	False	0.2913602941176471	data	3.2668412287346413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xced000	0x2229c	0x22400	False	0.552983861770073	data	6.500769652772586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcea800	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0xceaae8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_DIALOG	0xceb188	0x1fc	data	English	United States	0.4704724409448819
RT_DIALOG	0xceac38	0x12e	data	English	United States	0.6225165562913907
RT_DIALOG	0xcead68	0x2f4	data	English	United States	0.48148148148148145
RT_DIALOG	0xceb060	0x126	data	English	United States	0.5850340136054422
RT_STRING	0xceb408	0x3e	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.6774193548387096
RT_STRING	0xceb3c0	0x42	data	English	United States	0.7121212121212122
RT_STRING	0xceb448	0x60	data	English	United States	0.5625
RT_STRING	0xcebe58	0x30	data	English	United States	0.5833333333333334
RT_STRING	0xceb4a8	0x208	Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0	English	United States	0.4269230769230769
RT_STRING	0xceb6b0	0xe2	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.43805309734513276
RT_STRING	0xceb798	0x34	data	English	United States	0.6538461538461539
RT_STRING	0xceb7d0	0x30	data	English	United States	0.6041666666666666
RT_STRING	0xceb800	0x6e	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	English	United States	0.6818181818181818
RT_STRING	0xceb870	0x11a	data	English	United States	0.5035460992907801
RT_STRING	0xceb990	0x6a	data	English	United States	0.5471698113207547
RT_STRING	0xceb388	0x32	data	English	United States	0.58
RT_STRING	0xceba00	0x1ea	data	English	United States	0.363265306122449
RT_STRING	0xcebbf0	0x156	Matlab v4 mat-file (little endian) U, numeric, rows 0, columns 0	English	United States	0.5175438596491229
RT_STRING	0xcebd48	0x56	data	English	United States	0.6162790697674418
RT_STRING	0xcebda0	0xb6	data	English	United States	0.5164835164835165
RT_GROUP_ICON	0xceac10	0x22	data	English	United States	1.0
RT_VERSION	0xcea550	0x2b0	data	English	United States	0.49273255813953487
RT_MANIFEST	0xcebe88	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, SetFilePointer, SetEnvironmentVariableW, MultiByteToWideChar, GetStartupInfoW, GetLogicalDriveStringsA, MoveFileW, FileTimeToSystemTime, InitializeSListHead, GetStringTypeW, GetCurrentProcess, TlsAlloc, GetSystemDirectoryW, GetUserDefaultLCID, lstrcatA, GlobalFree, GetLastError, InitializeCriticalSectionEx, SetFileAttributesW, CreateSemaphoreA, CreateEventA, IsDebuggerPresent, ReleaseSemaphore, GetFileSizeEx, LoadLibraryA, FindNextFileA, WriteConsoleW, FindFirstFileW, CreateThread, IsProcessorFeaturePresent, GetFullPathNameW, SetUnhandledExceptionFilter, SetFilePointerEx, FindClose, LocalFree, GetConsoleMode, GetCPInfo, UnhandledExceptionFilter, LeaveCriticalSection, VirtualAlloc, GlobalMemoryStatus, FormatMessageW, GetFileAttributesW, GetProcessHeap, GlobalAlloc, CreateFileW, InitializeCriticalSection, VirtualFree, TlsSetValue, VerifyVersionInfoW, LoadLibraryExW, ReleaseSRWLockExclusive, Sleep, GetDateFormatW, ResetEvent, GetTimeFormatW, MoveFileExW, CreateDirectoryA, IsValidLocale, CloseHandle, lstrlenA, GlobalUnlock, PeekNamedPipe, GetFileInformationByHandle, WaitForSingleObject, GetTickCount64, FlushFileBuffers, GetModuleFileNameW, DeleteCriticalSection, ReadFile, DeleteFileA, GlobalLock, GetTimeZoneInformation, RemoveDirectoryW, GetCommandLineA, TerminateProcess, GetVersionExA, SleepEx, GetTickCount, SetFileAttributesA, GetModuleHandleA, WaitForSingleObjectEx, GetProcAddress, CreateDirectoryW, FreeEnvironmentStringsW, HeapSize, SetEndOfFile, HeapFree, CreateFileA, RtlUnwind, FileTimeToLocalFileTime, LCMapStringEx, GetDriveTypeW, GetACP, EncodePointer, GetSystemTimeAsFileTime, GetOEMCP, GetModuleFileNameA, GetModuleHandleW, TlsGetValue, SetLastError, GetCurrentThread, GetStdHandle, SystemTimeToTzSpecificLocalTime, TlsFree, GetFileSize, QueryPerformanceCounter, WaitForMultipleObjects, EnumSystemLocalesW, GetSystemWow64DirectoryW, ReadConsoleW, AreFileApisANSI, GetProcessAffinityMask, SetPriorityClass, EnterCriticalSection, CompareFileTime, GetLocaleInfoW, IsValidCodePage, VerSetConditionMask, GetFileAttributesA, FindFirstFileA, GetCurrentDirectoryW, WideCharToMultiByte, RemoveDirectoryA, CompareStringW, GetCommandLineW, FreeLibrary, GetEnvironmentVariableA, GetLogicalDriveStringsW, HeapReAlloc, MoveFileA, lstrlenW, GetCurrentProcessId, FindFirstFileExW, ExitThread, DecodePointer, GetFileAttributesExW, FormatMessageA, HeapAlloc, lstrcatW, DeleteFileW, SetFileTime, LCMapStringW, LoadLibraryW, AcquireSRWLockExclusive, GetModuleHandleExW, SetEvent, GetSystemInfo, ExitProcess, WriteFile, QueryPerformanceFrequency, GetConsoleOutputCP, SetStdHandle, GetFileType, RaiseException, GetEnvironmentStringsW, FindNextFileW, FreeLibraryAndExitThread, GetCurrentDirectoryA
USER32.dll	GetWindowTextLengthA, DialogBoxParamA, EmptyClipboard, CharUpperA, CheckDlgButton, EndDialog, SetClipboardData, GetMonitorInfoA, GetWindowLongA, SetFocus, IsDlgButtonChecked, CharUpperW, PostMessageA, LoadIconA, GetKeyState, SetTimer, ScreenToClient, OpenClipboard, SystemParametersInfoA, MonitorFromWindow, SetCursor, SetWindowTextW, MoveWindow, LoadStringA, MapDialogRect, DialogBoxParamW, KillTimer, SetWindowTextA, SetWindowLongA, MessageBoxW, wsprintfA, LoadCursorA, GetWindowTextW, GetWindowTextA, InvalidateRect, LoadStringW, ShowWindow, GetDlgItem, EnableWindow, SendMessageW, GetWindowRect, GetParent, MessageBoxA, CloseClipboard, GetWindowTextLengthW, SendMessageA, GetFocus
ADVAPI32.dll	CryptDestroyKey, CryptGetHashParam, RegSetValueExW, CryptImportKey, CryptCreateHash, RegOpenKeyExW, CryptEncrypt, CryptDestroyHash, RegCreateKeyExW, CryptAcquireContextW, CryptHashData, CryptReleaseContext, RegCloseKey
SHELL32.dll	SHGetMalloc, CommandLineToArgvW, SHGetFileInfoA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetSpecialFolderPathW
ole32.dll	CoInitialize, CoUninitialize, CoCreateInstance, OleInitialize
OLEAUT32.dll	VariantClear, SysAllocStringLen, SysAllocString, SysStringLen, SysFreeString
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertEnumCertificatesInStore, CertFindExtension, CertFreeCertificateChainEngine, CryptDecodeObjectEx, CertCloseStore, CertGetNameStringW, CryptQueryObject, CertFindCertificateInStore, CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateContext, CertCreateCertificateChainEngine, CertAddCertificateContextToStore, PFXImportCertStore, CertOpenStore, CryptStringToBinaryW
WLDAP32.dll
WS2_32.dll	getpeername, sendto, recvfrom, getaddrinfo, socket, ioctlsocket, gethostname, getsockopt, send, WSAEventSelect, WSAIoctl, WSACloseEvent, WSAWaitForMultipleEvents, WSAResetEvent, freeaddrinfo, closesocket, WSAGetLastError, ntohs, WSASetLastError, WSAStartup, WSACleanup, htons, setsockopt, WSACreateEvent, __WSAFDIsSet, select, accept, bind, connect, getsockname, htonl, listen, recv, WSAEnumNetworkEvents

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 9
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2023 18:00:24.717495918 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:24.717552900 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:24.717632055 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:24.757014036 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:24.757052898 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:24.975259066 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:24.975459099 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:24.979105949 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:24.979125023 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:24.979465961 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:24.989775896 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:25.036739111 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:25.280441046 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:25.280745983 CET	443	49710	104.26.6.197	192.168.2.5
Dec 6, 2023 18:00:25.280843973 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:25.288577080 CET	49710	443	192.168.2.5	104.26.6.197
Dec 6, 2023 18:00:25.288615942 CET	443	49710	104.26.6.197	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2023 18:00:24.563206911 CET	53349	53	192.168.2.5	1.1.1.1
Dec 6, 2023 18:00:24.666577101 CET	53	53349	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2023 18:00:24.563206911 CET	192.168.2.5	1.1.1.1	0x93d5	Standard query (0)	highinstaller.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 6, 2023 18:00:24.666577101 CET	1.1.1.1	192.168.2.5	0x93d5	No error (0)	highinstaller.com	104.26.6.197	A (IP address)	IN (0x0001)	false
Dec 6, 2023 18:00:24.666577101 CET	1.1.1.1	192.168.2.5	0x93d5	No error (0)	highinstaller.com	172.67.73.193	A (IP address)	IN (0x0001)	false
Dec 6, 2023 18:00:24.666577101 CET	1.1.1.1	192.168.2.5	0x93d5	No error (0)	highinstaller.com	104.26.7.197	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

highinstaller.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	104.26.6.197	443	2516	C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-06 17:00:24 UTC	177	OUT	GET /44A6538B354E964A/58465704911/6F981813D58FB801/70188202322?6D6E5385A14D8AFE1701882023 HTTP/1.1 Host: highinstaller.com User-Agent: NSIS_InetLoad (Mozilla) Accept: /
2023-12-06 17:00:25 UTC	542	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 20 44 65 63 20 32 30 32 33 20 31 37 3a 30 30 3a 32 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 46 2d 43 61 63 68 65 2d 53 74 61 74 75 73 3a 20 44 59 4e 41 4d 49 43 0d 0a 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 6b 39 69 62 5a 4d 6c 4f 4f 74 Data Ascii: HTTP/1.1 200 OKDate: Wed, 06 Dec 2023 17:00:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k9ibZMlOOt
2023-12-06 17:00:25 UTC	38	IN	Data Raw: 32 30 0d 0a 36 46 35 33 43 36 43 36 43 33 37 37 35 44 35 30 46 37 46 42 45 31 42 31 35 44 35 33 32 34 45 34 0d 0a Data Ascii: 206F53C6C6C3775D50F7FBE1B15D5324E4
2023-12-06 17:00:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• PSemuX-7z2201-x64_686356.exe

Click to jump to process

Memory Usage

• PSemuX-7z2201-x64_686356.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	18:00:22
Start date:	06/12/2023
Path:	C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PSemuX-7z2201-x64_686356.exe
Imagebase:	0x760000
File size:	15'006'952 bytes
MD5 hash:	4C429162A2FF252FEAE81D485EE83ED4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PSemuX-7z2201-x64_686356.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
PSemuX-7z2201-x64_686356.exe