Edit tour

Windows Analysis Report
tera10.zip

Overview

General Information

Sample name:	tera10.zip
Analysis ID:	1516726
MD5:	1112c1d9408808a493352f73308d24a8
SHA1:	4217ae048db98b3a25649263f9d8117aa8c56e0d
SHA256:	a9cea39e306f430e00ca4630ff50d529f0996e144d469cae5635dd4f1a2c5783
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

One or more processes crash

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 7112 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Set-up.exe (PID: 5488 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)

Set-up.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\tera10\Set-up.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)

StrCmp.exe (PID: 7156 cmdline: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe MD5: 916D7425A559AAA77F640710A65F9182)

more.com (PID: 3364 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SearchIndexer.exe (PID: 636 cmdline: C:\Windows\SysWOW64\SearchIndexer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C)

WerFault.exe (PID: 1148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 396 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Set-up.exe (PID: 3600 cmdline: "C:\Users\user\Desktop\tera10\Set-up.exe" MD5: B6F6C3C38568EE26F1AC70411A822405)

more.com (PID: 4800 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SearchIndexer.exe (PID: 1916 cmdline: C:\Windows\SysWOW64\SearchIndexer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C)

WerFault.exe (PID: 2268 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 396 MD5: C31336C1EFC2CCB44B4326EA793040F2)

chrome.exe (PID: 3648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4404 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1840,i,182924779732938844,3043469172019284981,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tpm2emu\python27.dll

ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: tera10.zip

ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jmnpeame	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jmnpeame	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jmnpeame	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: C:\Windows\SysWOW64\SearchIndexer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 396

Source: classification engine

Classification label: mal80.evad.winZIP@33/22@2/26

Source: C:\Users\user\Desktop\tera10\Set-up.exe

File created: C:\Users\user\AppData\Roaming\tpm2emu

Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4132:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1916
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess636
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03

Source: C:\Users\user\Desktop\tera10\Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\f45c09a5

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: tera10.zip

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe "C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe"
Source: unknown	Process created: C:\Users\user\Desktop\tera10\Set-up.exe "C:\Users\user\Desktop\tera10\Set-up.exe"
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: unknown	Process created: C:\Users\user\Desktop\tera10\Set-up.exe "C:\Users\user\Desktop\tera10\Set-up.exe"
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 396
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 396
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1840,i,182924779732938844,3043469172019284981,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1840,i,182924779732938844,3043469172019284981,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: pla.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: pdh.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: tdh.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: vb6zz.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: pla.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: pdh.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: tdh.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: tquery.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: mssrch.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: esent.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: tquery.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: mssrch.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: esent.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: shdocvw.dll

Source: tera10.zip

Static file information: File size 27703354 > 1048576

Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\jmnpeame	Jump to dropped file
Source: C:\Users\user\Desktop\tera10\Set-up.exe	File created: C:\Users\user\AppData\Roaming\tpm2emu\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\tera10\Set-up.exe	File created: C:\Users\user\AppData\Roaming\tpm2emu\python27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\tera10\Set-up.exe	File created: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Local\Temp\jmnpeame

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JMNPEAME
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JMNPEAME
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EAOULIJE
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JMNPEAME
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EAOULIJE
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JMNPEAME
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EAOULIJE
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JMNPEAME
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EAOULIJE

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_tera10.zip\Set-up.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\tera10\Set-up.exe	API/Special instruction interceptor: Address: 6C607C44
Source: C:\Users\user\Desktop\tera10\Set-up.exe	API/Special instruction interceptor: Address: 6C607945
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 6C603B54
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 8DDC57

Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jmnpeame	Jump to dropped file
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\tpm2emu\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\tpm2emu\python27.dll	Jump to dropped file

Source: C:\Users\user\Desktop\tera10\Set-up.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\tera10\Set-up.exe	NtProtectVirtualMemory: Direct from: 0x73BBE5A9
Source: C:\Users\user\Desktop\tera10\Set-up.exe	NtQuerySystemInformation: Direct from: 0x73BC2BA5
Source: C:\Users\user\Desktop\tera10\Set-up.exe	NtQuerySystemInformation: Direct from: 0x6C914874
Source: C:\Users\user\Desktop\tera10\Set-up.exe	NtProtectVirtualMemory: Direct from: 0x776D7B2E
Source: C:\Users\user\Desktop\tera10\Set-up.exe	NtProtectVirtualMemory: Direct from: 0x73BB3FC6

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write
Source: C:\Windows\SysWOW64\more.com	Section loaded: unknown target: C:\Windows\SysWOW64\SearchIndexer.exe protection: read write

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 8DB300
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 270000
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 8DB300
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 540000

Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
Source: C:\Users\user\Desktop\tera10\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	211 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tera10.zip	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\tpm2emu\msvcr90.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\tpm2emu\python27.dll	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\jmnpeame	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jmnpeame	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jmnpeame	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.185.132	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.131	unknown	United States	15169	GOOGLEUS	false
74.125.133.84	unknown	United States	15169	GOOGLEUS	false
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
172.217.16.195	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1516726
Start date and time:	2024-09-24 14:40:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	tera10.zip
Detection:	MAL
Classification:	mal80.evad.winZIP@33/22@2/26
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: tera10.zip

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_a31cd8fc-1116-446c-8667-643dc4a6b310\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.808909323691549
Encrypted:	false
SSDEEP:
MD5:	4DF8F477519B998D314C438EE7CF8D89
SHA1:	3286920AD87962FEF27EF8A42C5940EA5B482E99
SHA-256:	4756C7804FA78E78BEE93C74A955137E36B954E48C00C963C0292BD83BE6CE6F
SHA-512:	E42752A8AE2E8BC27741AE17A338D383F8EC60B08BB210738C53535C900BD281D1D4C2A650D87D091A27BE3D113699BA6991C5BA238C7F9F261AB3103EEF3743
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.6.5.5.3.3.1.9.5.7.5.9.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.6.5.5.3.3.2.3.0.6.5.9.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.1.c.d.8.f.c.-.1.1.1.6.-.4.4.6.c.-.8.6.6.7.-.6.4.3.d.c.4.a.6.b.3.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.f.5.6.c.7.f.-.3.6.a.5.-.4.b.9.e.-.8.6.2.0.-.6.a.0.d.7.1.1.e.0.3.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.7.c.-.0.0.0.1.-.0.0.1.6.-.7.f.6.6.-.9.8.2.7.7.f.0.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.4.6.4.a.9.c.6.7.f.c.b.d.d.9.3.e.b.5.6.9.6.a.9.e.5.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_beaab279-fb9c-415a-8c2a-33c01e7617f7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.808619871483061
Encrypted:	false
SSDEEP:
MD5:	55D7991F09927F1EFDE5104352C1FD55
SHA1:	D4332B6E663826EE8AF28732F5D7DED26BE3A740
SHA-256:	2969AFF48BCD76F9A3E62A71C306A084F5F32860311753110D63E6E2FDA59A57
SHA-512:	6354A402A277E73D7E74F619E4A42CDEE66BC390CFB7FC7284B43097E6A2BF66A37173275F9F030E65941988B6703D0F49734A86A65B828330371768CE7B184B
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.6.5.5.3.4.3.4.1.8.4.1.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.6.5.5.3.4.3.7.0.5.4.2.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.a.a.b.2.7.9.-.f.b.9.c.-.4.1.5.a.-.8.c.2.a.-.3.3.c.0.1.e.7.6.1.7.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.9.1.3.9.b.9.-.b.e.b.f.-.4.e.9.a.-.a.a.3.9.-.6.e.2.7.8.e.d.5.4.0.c.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.7.c.-.0.0.0.1.-.0.0.1.6.-.8.8.9.6.-.d.4.2.f.7.f.0.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.4.6.4.a.9.c.6.7.f.c.b.d.d.9.3.e.b.5.6.9.6.a.9.e.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43F1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Sep 24 12:42:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	26938
Entropy (8bit):	2.240158987271675
Encrypted:	false
SSDEEP:
MD5:	2C45BC1318E39CDB4E33157280A4A890
SHA1:	B51F1346AD623C45DD49F6C3B0EF370D88B69333
SHA-256:	0DF1E16750E483CBC73F2EBEEC2052EF4426FF0F8EFA6BCD4084E1C9598CEFCB
SHA-512:	A50F36B2A75892B4D5368A25D00247105A014DCADEDB65D476147D6B179DC3EF59483BCA0D28CB990FCB7C5CCBA25887BB25F0955F011B4891E17DC6AC44BC35
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ..........f............4...............<.......d...`...........T.......8...........T...............jV......................................................................................................eJ..............GenuineIntel............T.......\|......f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER446F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6320
Entropy (8bit):	3.722731628017966
Encrypted:	false
SSDEEP:
MD5:	469471372ACD62CF4C92D1B593FC33B3
SHA1:	361E1B2D2FEA0D464997F670E9CCE2351C2284EB
SHA-256:	E865C4BC747790CBC1628D9F5E4604907DCE90A78E2BB475EDE1BE30E5C6D213
SHA-512:	C791FBF0725FFCE939D7EFC7877E832E5A247F798F4011128B36A57C167DD2B88FD2D00984076DBBE4769EDB5CC2FEC32EF1DDA5285BB6FDF18CAB759358AE5B
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.6.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER449F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.491641285510822
Encrypted:	false
SSDEEP:
MD5:	81E48D2184240BAB45DD22F2CF0C1193
SHA1:	B7414CEA30E3721E60E164EED70265B1A02AD497
SHA-256:	13477A89156EE571C228AF92C1F3AA3B307E9C71674BAB5301A269B62CDDA3EF
SHA-512:	F3D31DA96EDDCB872E76D7C749CE1BE0078702DC1F8E9736C9C0059A598D8AB41F624D4212FD0B83005C0007ACD61CF1E1A0FD820B6BFB48C856E3413E3DB1AB
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="514304" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER709E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Sep 24 12:42:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	27010
Entropy (8bit):	2.1987474285125743
Encrypted:	false
SSDEEP:
MD5:	9D9DAF30E5F6FA8FBF4523F4741BDC3D
SHA1:	EDBD50ADD9C91E0F62FE5D819DB7641940F8CF7D
SHA-256:	C69E635053A7AB9C7A690A7AE3ECD32B0D14478C06077EE543224099042A5C5A
SHA-512:	A80D6C86009019F79C7CEB795CDEEE9D2714935C076CC8E2FAEAE9E63C0D512FE4463ACA0005CF338914720FBC24D52AF25BA81F94A326B88EBBF10EED152044
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ..........f............4...............<.......d...`...........T.......8...........T................V......................................................................................................eJ..............GenuineIntel............T.......\|......f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70ED.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6324
Entropy (8bit):	3.722516149659381
Encrypted:	false
SSDEEP:
MD5:	9159B3D2927E0D3C112F8CCB6DDC7189
SHA1:	0A219DAD6786B049DE5B1BDEDADE1CA5BC5BE41A
SHA-256:	2B0E480B69A4BA9EA76C8740BAFA80439C539788D3C78453A6D77C17786B2572
SHA-512:	16121C982E7677F4630DBBEAE145E506826EA4A6750E8B923EE195BE218A9829C9095DE1CC91ACCD6E5D03932EBEF3EC52F2896F721DC91DC56F6308EA8F3E2A
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER711D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.490379900214565
Encrypted:	false
SSDEEP:
MD5:	6A59341C06640DF84D2FA2D2FA72C4D9
SHA1:	F98CF50E9290742809F9D4A068546F8425770B13
SHA-256:	629EA4CA0DC01A3B1C6D6FB34F6B0E33294C461D7916E995A7301890DDB2AB7E
SHA-512:	20D13BC49E8E4E420D53DF837C267C4943A48510718298A3C527013C3D9014168D392DE40DE33E487BE7E77A20E866687E2BFF010C260532DB25433062277AC9
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="514305" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\f45c09a5

Download File

Process:	C:\Users\user\Desktop\tera10\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	1248846
Entropy (8bit):	7.577801288154106
Encrypted:	false
SSDEEP:
MD5:	1060AE9AADEA37EE83E57CAC58D5780F
SHA1:	F00E29850A81F6BD7BC8854028D42F47E94B7FD4
SHA-256:	2426F45A6C52FC2C82CDFFB3F0438F4CF4D9CDE4C7B81B06D881E11FD55DAB93
SHA-512:	0D520A07E3E7CE257DBBA6DA9251FDB38C11BD11838B8E18B4E3B5361984E6A51307EF0BB044E20594E4689482EB5E277BBD05B1C980A5A1F26F29AC65DB72D8
Malicious:	false
Reputation:	unknown
Preview:	T1t.W1t.W1t.W1t.V1t..1t..1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1u.rp$..p .rm9.4C..8W...X..8F...E..#.9.9D(.%^..6\...E..#D..W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t..^=.>E..;X...It.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t..^7.2P..._..6_..W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.rf=..x&..\|..%^..1EZ..e(.%P.. ^..W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.!.Z.y.D.e.t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.

C:\Users\user\AppData\Local\Temp\fae164b5

Download File

Process:	C:\Users\user\Desktop\tera10\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	1248846
Entropy (8bit):	7.577799870710132
Encrypted:	false
SSDEEP:
MD5:	A25E88C2B1DD2882C746EA4A95E51899
SHA1:	81C6EB892658D7AAA5793148D6ABCF89B153B65F
SHA-256:	C94AA8C2B89329D28244AE9EC693775E1DCDC7C4B9614220873D7D80A8905BC7
SHA-512:	D3E830AFC98DF25D819E823203D271F51EB16D11B9C56E58D7F7DCC6347B19FE25D2011A08833CC8A55F435C9B9AEC84249AA72BEE6983D527F89E3C4ECE6AE4
Malicious:	false
Reputation:	unknown
Preview:	T1t.W1t.W1t.W1t.V1t..1t..1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1u.rp$..p .rm9.4C..8W...X..8F...E..#.9.9D(.%^..6\...E..#D..W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t..^=.>E..;X...It.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t..^7.2P..._..6_..W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.rf=..x&..\|..%^..1EZ..e(.%P.. ^..W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.!.Z.y.D.e.t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.W1t.

C:\Users\user\AppData\Local\Temp\jmnpeame

Download File

Process:	C:\Windows\SysWOW64\more.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	467456
Entropy (8bit):	6.672784633284107
Encrypted:	false
SSDEEP:
MD5:	99ABA3C684E22977CC5F674AB677BC32
SHA1:	BCEE0705BD4D85C46E96C648A6FFB1EB420D9EAB
SHA-256:	9EF6CE4ED48A0BCD498EC1B8FDD1C42AC529A9F4EF59F9DE27CC0998D9D3D9CA
SHA-512:	576A897A253FE5F35D612FE9261653737381F2B07A737295DB2F9B1FFC078F5E365DA079788EEE556D9F959EA9A433D7761566BEDDF7B7C32F147C1F2BEC08AB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...H..]............................0.............@.......................................@.....................................x................................J...................................................................................text............................... ..`.rdata...).......*..................@..@.data............`..................@....reloc...J.......L...F..............@..Blotoj........P......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Sep 24 11:42:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9828088128264594
Encrypted:	false
SSDEEP:
MD5:	457DEE0C819CB6DDF6229401FDB50955
SHA1:	9BAA80BE2EB0DDA0A26260F146FF031D43AF12B6
SHA-256:	8C1A507A644F35A777ED65D6EF80E4967420BFCF7CFCDEF17EB5465DC1B8B4CA
SHA-512:	5935D2E8A796C323EA4A7F6E1D769671681BC6FAA032476C07FBEC5E22C91F57EE12780EA873C93E23699F697024D14B6CF04F7AE98BAD8C018074C83E2D4729
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....m..<....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I8Y.e....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V8YQe....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V8YQe....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V8YQe..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V8YSe...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Sep 24 11:42:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.0014242815118095
Encrypted:	false
SSDEEP:
MD5:	738383A28C3118BFEBD605F61DF2E068
SHA1:	3F73C43399898604EF292ADA1B509E25B85B8088
SHA-256:	A2F864833ACD4F98F2B5A1669FC00A0060C29A1CD020D2466247322C54C6EB70
SHA-512:	2CCBAB0C755A7928C60286A6C0669333A32F76D1B3288E10316F80B02FF74D3C209FA353B20CC5A5A8B25F7188B3B04169CE7F62B00A411AA8491DA65BD68FCB
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....7.;....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I8Y.e....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V8YQe....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V8YQe....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V8YQe..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V8YSe...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.007317499085642
Encrypted:	false
SSDEEP:
MD5:	82087B7BAACB205031CC66176EFB4571
SHA1:	91A6FD351D697B9237BC86532CD5620188710435
SHA-256:	B16CB3434356CDBE432EBF27FE0870D374E0CA6B3A2808CF47EB2BCF55D6744B
SHA-512:	43B79BAD9B54666510AC9220371F1059DEB73E93FBFC28B4379CC8674AC376623C08EB018EB6FC65594AC7822E7175A6409B34CB7131AD8DA56B5C65BAE0C135
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I8Y.e....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V8YQe....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V8YQe....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V8YQe..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Sep 24 11:42:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9973490260606805
Encrypted:	false
SSDEEP:
MD5:	F16334304C81BFA51554831A775784E9
SHA1:	888B544D6D01F22910B4EE0C12B816CD47ED1E75
SHA-256:	BA12E16E75661D4180FF1462B6371D95F6BDFADDF645FF4817F3FB7C95F9E0CD
SHA-512:	C0298FA76B1B5608C97A66E42577E67CE9048FCE136435D7E36E2E87BA334AE3F3777195F3742F0A1358E6202F5CD327A269B578FD6C5226507B51471A3731C3
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....0..;....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I8Y.e....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V8YQe....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V8YQe....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V8YQe..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V8YSe...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Sep 24 11:42:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.986288813808697
Encrypted:	false
SSDEEP:
MD5:	3A9304BA2527298416ACD81B9F13F11C
SHA1:	12F7B04F3F84873960F649C7AC6489E184FAA1C9
SHA-256:	CD2D200A6D566BF8B5FA02678624C02ADD29C6FD51B64530B6CB3271450FDFBC
SHA-512:	6F3009EB5859571BFC4AB29697FEDF610CF8A76A50C25ED05800AAB54C6C48FE6515761775E79772AF60ADB2BCCA681E2FFE6D472EF562121FAADEC6578A710B
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....5..<....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I8Y.e....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V8YQe....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V8YQe....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V8YQe..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V8YSe...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Sep 24 11:42:36 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9942957682381737
Encrypted:	false
SSDEEP:
MD5:	DEA69E7DCFB0FFF74B4F006C4D7B2987
SHA1:	BA9454794B0AAA9521C186804F59B6A10019BF0F
SHA-256:	66E2C187481519DC36B81637908D08E98F107CB3BBC35CF0AD5DD44D03FAEFC0
SHA-512:	36E4D38FEF29FF2BDDAE43CB5AC6070D7C8AEFD9D2889C7529ECF19BFFEEA4244725AC7BB5AF6E4C66760099AACC5EB72F643AEBDCBF85F1840A89D7653AD361
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....%..;....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I8Y.e....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V8YQe....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V8YQe....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V8YQe..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V8YSe...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe

Download File

Process:	C:\Users\user\Desktop\tera10\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48896
Entropy (8bit):	5.121181282636362
Encrypted:	false
SSDEEP:
MD5:	916D7425A559AAA77F640710A65F9182
SHA1:	23D25052AEF9BA71DDEEF7CFA86EE43D5BA1EA13
SHA-256:	118DE01FB498E81EAB4ADE980A621AF43B52265A9FCBAE5DEDC492CDF8889F35
SHA-512:	D0C260A0347441B4E263DA52FEB43412DF217C207EBA594D59C10EE36E47E1A098B82CE633851C16096B22F4A4A6F8282BDD23D149E337439FE63A77EC7343BC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........6......5.....t5.....Rich.*..................PE..L......U.................P...0...............`....@.........................................................................4L..(....p..\................/..................................................0... ....... ............................text....A.......P.................. ..`.data...,....`.......`..............@....rsrc...\....p... ...p..............@..@l.[J............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tpm2emu\jqedor

Download File

Process:	C:\Users\user\Desktop\tera10\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	978542
Entropy (8bit):	7.905473402623561
Encrypted:	false
SSDEEP:
MD5:	830FC9E161E6CF04834CCA535CB7949C
SHA1:	DDE8FBBDF24D5B50D371F73DDE5747431B8ACDEA
SHA-256:	F8892D271E28BB7B7EB0724E4A15E8A3F592BF0F0C82C0F8C269FFD4D3827BFE
SHA-512:	D3F11E30E5013158FBAF65DA6E6C85A86A3AEC41D41A82267C25E66C5F15769C9B193948B197275054BC31FCA0AA22A7FCC00ABF43D370455D64F98B886B3CFB
Malicious:	false
Reputation:	unknown
Preview:	vn.euByP.m....b.X..[...P.[Wq.e.g[Q.puRIkYp..`c...m.t.d.F..g..O.xh.^...I..].B.^...jVf[...mQh..U.jv.wj.S..o.j...H..SrUX^N.L.Kt..Q..r...j..D.K..xUjQO.tSVGu..OZVO^.o...E.En.c.u.Bj....NaY....E..H.PL...Y..aCdt...ACkJ........T.eLrx....T.m..MD.DL.......S.......Y..V...]m].......bQ.gYLYh.a..\..snH.CD.^S..gmf..s.nV..ShoQT..l.ZV.A.....E.prfyK.DT....K..Sp....Nbq....W..Bw.b...K...............sH........aQ.XlU..enA.D..D.em..lV_T...f.u.XcS._A_bkZ.....a..Zt..r.Ak.Gpl.mm.x.`.K..sB..gJ[Us\..`.W.t..Bu.p...P..gL.[sDCfw.Lk...a.QU...x[c..I.xRZ...b.....i...Lsd...W...AUI[s_...lf..an.d..^G._w....y.Q...H.E....R.nAu.........LPs..m.Kxq[\S..v.CvO.Ae.[.WS.B.....h.jgtepNVLC.V.m.C.j.j.i..joxh.D.f.\C.Gai...U.awPMAR.mu..nqGTI..B[ebD.B.SyW.Z.UhY..eK......\a.rG...yvb..V.._d....._..^^..aH.nT.\Gy^.e^.T..Wr....G..i.ggw...b..U..A`^W..J_vj..MBcp.o..k.uip.bV...Cs.[...Iq..IJ........T].[R....a...B..uB.D.....Y...pjbPA.....NBv......WL...C^nXU^.oS.w...Km....C.h.r.JOi...E.[..y.pOgY.LT.x..j....a..GL.WJ]..D.dE..`B.xmD....J...M...R..gkyh

C:\Users\user\AppData\Roaming\tpm2emu\msvcr90.dll

Download File

Process:	C:\Users\user\Desktop\tera10\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653952
Entropy (8bit):	6.885961951552677
Encrypted:	false
SSDEEP:
MD5:	11D49148A302DE4104DED6A92B78B0ED
SHA1:	FD58A091B39ED52611ADE20A782EF58AC33012AF
SHA-256:	CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
SHA-512:	FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tpm2emu\python27.dll

Download File

Process:	C:\Users\user\Desktop\tera10\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2649600
Entropy (8bit):	6.7223455901392475
Encrypted:	false
SSDEEP:
MD5:	7066D26251CD52653FE4C135DDCAC003
SHA1:	5D03F5DC8C74251B28820D955E615A5B2B63F884
SHA-256:	5DBAB5DEDB026DCAA2C4CA01D775A388AE0C8AC339BD15214BE6D65889190603
SHA-512:	64E5AF180AB6BC56ACFF1A05E4194A0FF064BC34CE17E926CB99E08CD67F7C177288F8850A6BFB635C2BFE7EF75E67EF313D030F09BD06C1EAED18BB1BC48916
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L...x..^...........!.........................................................).....\g)...@..........................g!..\|...Q!.x....@(. ....................P(.h\.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...pC....!..(....!.............@....rsrc... ....@(.......&.............@..@.reloc..~f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\tpm2emu\xqdfft

Download File

Process:	C:\Users\user\Desktop\tera10\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	77461
Entropy (8bit):	4.435667551976907
Encrypted:	false
SSDEEP:
MD5:	0BA06A67683C5B51E3F2500867607410
SHA1:	7B6386DC2E9259EC76192EE6FCDEA8A5DD7B5346
SHA-256:	B9C5F8910B193F96F29D66A5D654DB9113FF765634A5603203A6AB20C1ECCBE9
SHA-512:	635B3F3619BC3995005FB8C34A4931C0951374EB947FE9C12EBA54CDA4AD35A7E1F821A3CE68D8CF41961FB576ED27A2534C8276A285D896C6B2C33CFD29FEC9
Malicious:	false
Reputation:	unknown
Preview:	.f...[...T.Y..tvQE..`CD.X_i.XlFjNBdH.[y..b.\.f.xjZ..p.et..R]bH.mEliw.C[.u..P.JD`R..AZ.s.i.Q_^...b....VKvGg.w.\uBV..XO.VUl.pAU......C_..Q.OiPL..D.M..S........THB.A.oB.x....S..B..w.....MKm...YP..U..........`exp..\U\tleB..kDpA..xG.l..f\j..Y.q.VAs..L..NOh_......d...q.lu..rt.cJRF..DIkta.Sg.fd..Zqlw..A....C.fU.O..F..RfI.d.Xh..rU_h.k.....KwY....G..TcI.H.]W....r..djG..[`t].g...V..g[hh.n......DBqVxbY]...a.O.c.D..O....l..m.X].J...g..M.J.vya.kmI^Eywx...Wc.....^..ZgSUJJ.H..]b...l.B.....i.Z.D]..t.C..EwN..P.[f.C.A.U.Z.W...k.Us...SIQ.R.J.y..d.fS.....k...l.E.OB.Y.T[mK.B.OJ.....S.......hIaS..UgsP.BDF..s`D.`]_Uu..dHb..V.Zepg...x...f..o.....D.H.f.K......iv..M...e.C.EW..n.....L.....d.B.Bp..jJ.s...[.J.N.....s_t...Keg..YmUvZwsV..Mlpq^k.nN...u..C_.t.Y.Yb..l..wZ.ms...\..BoFbcXZn....]...h..e.t.....y.I.....J..OQrZ.I.OK.m.D.uE^...i.s....B.wi.DpE....T.C..^urG..w.\xq......q.korK...C^.v...nj...dSLR...k.V....Njsi.REMs.Sb...N..[]...y.tZ.t.\]Z\.S..._l.Ot.....li]..c.BI_J.g...Y..r.N.GC..R..lS...........UC..DC.v....Pck.B

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.998893554499651
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	tera10.zip
File size:	27'703'354 bytes
MD5:	1112c1d9408808a493352f73308d24a8
SHA1:	4217ae048db98b3a25649263f9d8117aa8c56e0d
SHA256:	a9cea39e306f430e00ca4630ff50d529f0996e144d469cae5635dd4f1a2c5783
SHA512:	ef3fd7344573355ff22a31e17588946a8f5f743ec3c3e0b77d5aef9b0a987a1fc0cfffaf3bd533699b787f65facc659d93c146a0fbe312b98494ab3585212891
SSDEEP:	786432:mgOeugvEwiLPoGJQF2kF1xE8GmVwIxGmVa:POeugv9+QG3ktGBUGb
TLSH:	8F573389F907C134D99DAA3225D9C9637C80D305D069BC3FDB1901AE0F92BEA07A7F56
File Content Preview:	PK........D.6Y.....A...q......Set-up.exe.\|.XSW.........{DT......AV.0$..-..H0$...*.Z.J.....Z..Vm.Kk+......o.....]\..9....]......./x.....33gf....i...A.lHf3Al'.........{..Ll.?.g;#.H..J..W....d....F.5...<.Q.SixQ.....\.....E.(.l..#.>.hIe.... ..DA.9..q...n...!.

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tera10.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_a31cd8fc-1116-446c-8667-643dc4a6b310\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_beaab279-fb9c-415a-8c2a-33c01e7617f7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43F1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER446F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER449F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER709E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70ED.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER711D.tmp.xml

C:\Users\user\AppData\Local\Temp\f45c09a5

C:\Users\user\AppData\Local\Temp\fae164b5

C:\Users\user\AppData\Local\Temp\jmnpeame

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\AppData\Roaming\tpm2emu\ESKZOCWPMKXRPBX\StrCmp.exe

C:\Users\user\AppData\Roaming\tpm2emu\jqedor

C:\Users\user\AppData\Roaming\tpm2emu\msvcr90.dll

C:\Users\user\AppData\Roaming\tpm2emu\python27.dll

C:\Users\user\AppData\Roaming\tpm2emu\xqdfft

Static File Info

General

File Icon

Windows Analysis Report
tera10.zip