Edit tour

Windows Analysis Report
Axvn7Hegxc.exe

Overview

General Information

Sample name:	Axvn7Hegxc.exe renamed because original name is a hash value
Original sample name:	02d5c3456cc7e6523c1a20ebe02048b48aab2e3de995ab4659f2d0517e0541ef.exe
Analysis ID:	1587673
MD5:	97207c093826146294a7254517321fd7
SHA1:	d1e21d118df6bcc24b1acf7a235bbd9394abcbe2
SHA256:	02d5c3456cc7e6523c1a20ebe02048b48aab2e3de995ab4659f2d0517e0541ef
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Axvn7Hegxc.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\Axvn7Hegxc.exe" MD5: 97207C093826146294A7254517321FD7)

WerFault.exe (PID: 7896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1468 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Axvn7Hegxc.exe	Virustotal: Detection: 61%			Perma Link
Source: Axvn7Hegxc.exe	ReversingLabs: Detection: 82%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Axvn7Hegxc.exe

Joe Sandbox ML: detected

Source: Axvn7Hegxc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Axvn7Hegxc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: C:\Users\user\Desktop\Axvn7Hegxc.PDB source: Axvn7Hegxc.exe, 00000000.00000002.2095977999.00000000009D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdbMZ@ source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: Accessibility.pdb\ source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbAccessibility.dllMZ@ source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: HPXo0C:\Windows\mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2095977999.00000000009D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Axvn7Hegxc.PDB> source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.000000000708F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.0000000007072000.00000004.00000020.00020000.00000000.sdmp, WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb* source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.0000000007072000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb{d source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.0000000007072000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb( source: WER56A3.tmp.dmp.6.dr

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Axvn7Hegxc.exe	String found in binary or memory: http://www.modestarcade.com

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

Code function: 0_2_02A8D444

0_2_02A8D444

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1468

Source: Axvn7Hegxc.exe, 00000000.00000002.2099788367.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Axvn7Hegxc.exe
Source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Axvn7Hegxc.exe
Source: Axvn7Hegxc.exe, 00000000.00000000.1358950617.0000000000838000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJtJ.exe@ vs Axvn7Hegxc.exe
Source: Axvn7Hegxc.exe, 00000000.00000002.2098315114.0000000003C79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Axvn7Hegxc.exe
Source: Axvn7Hegxc.exe, 00000000.00000002.2098315114.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Axvn7Hegxc.exe
Source: Axvn7Hegxc.exe	Binary or memory string: OriginalFilenameJtJ.exe@ vs Axvn7Hegxc.exe

Source: Axvn7Hegxc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Axvn7Hegxc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal56.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7416

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0a44fddd-c6b0-472f-b41b-81a20a36dd00

Jump to behavior

Source: Axvn7Hegxc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Axvn7Hegxc.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Axvn7Hegxc.exe	Virustotal: Detection: 61%
Source: Axvn7Hegxc.exe	ReversingLabs: Detection: 82%

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

File read: C:\Users\user\Desktop\Axvn7Hegxc.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Axvn7Hegxc.exe "C:\Users\user\Desktop\Axvn7Hegxc.exe"
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1468

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Section loaded: propsys.dll	Jump to behavior

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Axvn7Hegxc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Axvn7Hegxc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: C:\Users\user\Desktop\Axvn7Hegxc.PDB source: Axvn7Hegxc.exe, 00000000.00000002.2095977999.00000000009D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdbMZ@ source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: Accessibility.pdb\ source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbAccessibility.dllMZ@ source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: HPXo0C:\Windows\mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2095977999.00000000009D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Axvn7Hegxc.PDB> source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.000000000708F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.0000000007072000.00000004.00000020.00020000.00000000.sdmp, WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb* source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.0000000007072000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: Axvn7Hegxc.exe, 00000000.00000002.2096160527.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb{d source: Axvn7Hegxc.exe, 00000000.00000002.2099974569.0000000007072000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER56A3.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb( source: WER56A3.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Code function: 0_2_02A8D198 push ebx; retn 0002h		0_2_02A8D1AA
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Code function: 0_2_06F0136F push eax; ret		0_2_06F01370

Source: Axvn7Hegxc.exe

Static PE information: section name: .text entropy: 7.710384569553251

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Memory allocated: 1160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Queries volume information: C:\Users\user\Desktop\Axvn7Hegxc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Axvn7Hegxc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Axvn7Hegxc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Axvn7Hegxc.exe	61%	Virustotal		Browse
Axvn7Hegxc.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
Axvn7Hegxc.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://www.modestarcade.com	Axvn7Hegxc.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587673
Start date and time:	2025-01-10 16:46:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Axvn7Hegxc.exe renamed because original name is a hash value
Original Sample Name:	02d5c3456cc7e6523c1a20ebe02048b48aab2e3de995ab4659f2d0517e0541ef.exe
Detection:	MAL
Classification:	mal56.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 21 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.45, 184.28.90.27, 52.149.20.212, 20.190.160.20
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	13.107.246.45
	raq4ttncJF.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	WF2DL1l7E8.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Play_VM-NowTingrammAudiowav011.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	launcher.exe.bin.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.45
	FGTFTj8GLM.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	30562134305434372.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Axvn7Hegxc.exe_d756ec9f9fc68ef0931fdd35129335783f5e87_c137846b_34155a04-6fcc-4c3b-8123-28b5f2bf7c01\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1895006959948902
Encrypted:	false
SSDEEP:	192:TNtlq4Lkd0BU/HUHamOJo1ZruGJFzuiFfZ24IO8vnn:Znq4AeBU/aaBWFzuiFfY4IO8/n
MD5:	2CA2DA7ED45E41E8B8563DED598D8474
SHA1:	78A68A67B8EADAC57D85E8A1408E26A8B63AD3E5
SHA-256:	3B4FC15DE980ECC89C769F04B12A3B011BDB7AF7898BE72E70B3755A9BF54591
SHA-512:	675B1D300E4E5BF7D302CE519AB5CF835C66F612317AC9551EE126D1EFC91738653DCA9E078011CAC167C36FFA5257A3FEC1FEDAD6B5B24A991C6A9C607625C7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.9.7.6.8.4.2.5.0.6.1.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.9.7.6.8.6.2.1.9.3.5.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.1.5.5.a.0.4.-.6.f.c.c.-.4.c.3.b.-.8.1.2.3.-.2.8.b.5.f.2.b.f.7.c.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.d.7.d.c.d.9.-.e.8.0.4.-.4.b.f.1.-.b.0.9.1.-.e.f.4.0.0.c.1.7.6.7.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.x.v.n.7.H.e.g.x.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.J.t.J...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.8.-.0.0.0.1.-.0.0.1.4.-.6.c.7.0.-.d.1.f.e.7.6.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.d.4.2.7.8.a.1.f.6.9.a.f.5.b.4.1.c.e.c.2.7.6.7.5.9.3.7.2.4.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.1.e.2.1.d.1.1.8.d.f.6.b.c.c.2.4.b.1.a.c.f.7.a.2.3.5.b.b.d.9.3.9.4.a.b.c.b.e.2.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER56A3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jan 10 15:48:05 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	293762
Entropy (8bit):	4.241160272934346
Encrypted:	false
SSDEEP:	3072:sfitn9lTT6RV7hHo8+gVmAo34uEqCBGyRdSLTggU3+:sfitn9l/CV7hz+ORo34xGyRdATgFO
MD5:	9E1C9A81CEFA905AB8CBE3A93A31003F
SHA1:	A1622813E4CF1BEDCD2A97AE713854D4D011DE5C
SHA-256:	6A16443735CBC2ED96B438DF3BAFD2BC335A6A11DAD56792D874C30DF87F6F7E
SHA-512:	3C6449D7F7E393F34163976ADDB4DF84AED8210CD0E075090FC9085C0D3F3C0EB32CF90AEE69805643EC09DEF12CC8DB88C36672ED146FD1C431C1BE94B047A5
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......5A.g....................................$....&.......4..@Q..........`.......8...........T............9...A...........'...........)..............................................................................eJ.......)......GenuineIntel............T..........."A.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D1C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8428
Entropy (8bit):	3.706901928699196
Encrypted:	false
SSDEEP:	192:R6l7wVeJCe696YcD8SU9HCHgmfZ9YEprR489b6vMWsfStP+m:R6lXJj696Y7SU9HCHgmfjYmF6vM1fSd
MD5:	01A291392AFB19428797E5B653CB7881
SHA1:	BBC554575A818F3E177AA0A9E816A1A73F2C6302
SHA-256:	AE48A97FDEA1767172DACC7122189F53B90A30FBD35ACD24DA88D5A41D23508A
SHA-512:	DAF8B4BBA6AABB596262D15E3F4F8E8945ACF63C7C2A09A46572942D053AD5CD3B89856E48003911A9A3317FB751C36B083624C4904DB4CD26112793E38E852C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D5C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4764
Entropy (8bit):	4.507907128128352
Encrypted:	false
SSDEEP:	48:cvIwWl8zs30Jg77aI9W5WpW8VYxOYm8M4J2et2FG1+q8vUtfTu0QlKvzmSvkd:uIjfCI78I7V8JXKCTuDMzm0kd
MD5:	D8520DCFC38C04F34661AAB7E2CCE5EC
SHA1:	A987E5104233DC8E4C4D73ACD97B77AF224B55DB
SHA-256:	A28DD228D1172EC9BD5F9AA408F983B94ABA24778FF1FACCA357082063692A2B
SHA-512:	FDA50EEECAD8694180DBEFD7DF063ADF719B1964C38FEF63E832C56AA1F1A8EACEBF7A5349837D708FAA24EE943CD69844838C90EF209C3FB86CC8B9C4CDA17A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670010" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.394177585398623
Encrypted:	false
SSDEEP:	6144:wl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNAcOBSqa:I4vF0MYQUMM6VFYScU
MD5:	AB1B93772551385849DB060DA30378B8
SHA1:	76A2341F976257FD3CFAEF99952DDF5DA1D8AAA2
SHA-256:	F839E15BA31BAC11611765EDCCAA97C017F79B2FC6465C89ED7290E443C624E0
SHA-512:	CDFF7A2530975C9B026042787859F0E06C802BAD787E713D313BF4F0D2F2AE35DFC8A81250EBA96E4A3B2D067F614E0791F68511CB63686B6CF10FC29EECBB2D
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJn..wc.................................................................................................................................................................................................................................................................................................................................................<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.685536996478897
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Axvn7Hegxc.exe
File size:	841'216 bytes
MD5:	97207c093826146294a7254517321fd7
SHA1:	d1e21d118df6bcc24b1acf7a235bbd9394abcbe2
SHA256:	02d5c3456cc7e6523c1a20ebe02048b48aab2e3de995ab4659f2d0517e0541ef
SHA512:	4bbbdce811f389a06215ff95f0af1a2285ca1f0ed4ba8b883751a22e627ff3e8e1cc45a0cee9b6e25ac0c9e5b4ffb78216181346ea264ad6f3e91d45a9ca275f
SSDEEP:	24576:8PUwFOthNRdAG2KkRSEL0sdkvduq2g+0RSFB:EwLRSRcsyvduquV
TLSH:	8605E054F749D407C41616F05E62FBBD226C2F9CA816C2537EFA7EAF78B5AA10810E43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wg..............0..P...........n... ........@.. .......................@............@................................

File Icon


Icon Hash:	83356d4d454d2986

Static PE Info

General

Entrypoint:	0x4c6e1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6757A3EB [Tue Dec 10 02:14:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F7F35119912h
je 00007F7F35119912h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F7F35119912h
imul eax, dword ptr [eax], 00610076h
je 00007F7F35119912h
outsd
add byte ptr [edx+00h], dh
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F7F35119912h
je 00007F7F35119912h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007F7F35119912h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007F7F35119912h
jnc 00007F7F35119912h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc6dcc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x8128	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc4e84	0xc5000	a9b8511ff21a76ac07aa548d2ad562ba	False	0.9019285870082487	data	7.710384569553251	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x8128	0x8200	1435c60b16d94ee65369feb76ea7eda2	False	0.5307391826923077	data	6.332609767301961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	b34d699b8bde0d8f48d1496e62902469	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc81d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5669 x 5669 px/m	0.36436170212765956
RT_ICON	0xc8640	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5669 x 5669 px/m	0.24385245901639344
RT_ICON	0xc8fc8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5669 x 5669 px/m	0.1845684803001876
RT_ICON	0xca070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5669 x 5669 px/m	0.13526970954356846
RT_ICON	0xcc618	0x3750	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9771186440677966
RT_GROUP_ICON	0xcfd68	0x4c	data	0.75
RT_GROUP_ICON	0xcfdb4	0x14	data	1.05
RT_VERSION	0xcfdc8	0x360	data	0.42824074074074076

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:47:43.949282885 CET	1.1.1.1	192.168.2.9	0x10a6	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:47:43.949282885 CET	1.1.1.1	192.168.2.9	0x10a6	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Axvn7Hegxc.exePID: 7416, Parent PID: 3504

General

Target ID:	0
Start time:	10:47:47
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Axvn7Hegxc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Axvn7Hegxc.exe"
Imagebase:	0x770000
File size:	841'216 bytes
MD5 hash:	97207C093826146294A7254517321FD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7896, Parent PID: 7416

General

Target ID:	6
Start time:	10:48:03
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1468
Imagebase:	0x420000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Axvn7Hegxc.exePID: 7416, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	29
Total number of Limit Nodes:	4

Executed Functions

Function 02A8D508 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02A8D596
GetCurrentThread.KERNEL32 ref: 02A8D5D3
GetCurrentProcess.KERNEL32 ref: 02A8D610
GetCurrentThreadId.KERNEL32 ref: 02A8D669

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ab23971c232803ba17f6e3231b5715a817ca05ad4b8cd9d5ef57dc316ab7e446
Instruction ID: 2414a2f19ff6b70878c0ba4d9edc7969012a6c9aa11b8dda0aad6f51f0a8393a
Opcode Fuzzy Hash: ab23971c232803ba17f6e3231b5715a817ca05ad4b8cd9d5ef57dc316ab7e446
Instruction Fuzzy Hash: 4B5179B0900609CFDB54DFA9D588BEEBBF1EF48314F208569E049A7391DB349984CF65

Function 02A8D518 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02A8D596
GetCurrentThread.KERNEL32 ref: 02A8D5D3
GetCurrentProcess.KERNEL32 ref: 02A8D610
GetCurrentThreadId.KERNEL32 ref: 02A8D669

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 13f5a730056e0a75b106c617fa7f2e7eca14f50227789d000e167e1399f8d0c2
Instruction ID: 76899e4e94f6b97f85912a34ccb441076e3819655f170ef82e67ae7b2f18d901
Opcode Fuzzy Hash: 13f5a730056e0a75b106c617fa7f2e7eca14f50227789d000e167e1399f8d0c2
Instruction Fuzzy Hash: 045167B0900709CFDB44DFAAD588BDEBBF1EF48314F208569E049A7291DB749984CF65

Function 02A844F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A859A9

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 76c47aad15c741e8c1145787fdf61a6447dc72ff7837a0a30b8e34c7f479ae1c
Instruction ID: 75298b6cd2c5c63f0f5a1e3a2d0b09a4162f0ae0f391fa03f3f44a8ffdaa4f92
Opcode Fuzzy Hash: 76c47aad15c741e8c1145787fdf61a6447dc72ff7837a0a30b8e34c7f479ae1c
Instruction Fuzzy Hash: AA41E5B0C00719CBDB24DFA9C884B9EFBB5BF49304F60806AD519AB255DBB16949CF90

Function 02A858ED Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A859A9

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7e025846ab2e47c3814b8135a0a60d01419aaa3429f1afd7dffafebac1eccb37
Instruction ID: 0bc6c578cef3853c190785f90d816c164d2bdf509e837a6c2fc20d63cf34e2db
Opcode Fuzzy Hash: 7e025846ab2e47c3814b8135a0a60d01419aaa3429f1afd7dffafebac1eccb37
Instruction Fuzzy Hash: B841E2B0C00719CBEB24DFA9C8847DEFBB1BF49304F60806AD409AB255DB756949CF90

Function 02A8D758 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A8D7E7

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c0a91b88b143a4d9b2cbc1dde44d6abba1d089573fbefd40a687d5d1d4e4762
Instruction ID: 3ddeb6d391e2167f582ca87738e036cafb2dbfcc62f8906ad9f7b3a9210a3b46
Opcode Fuzzy Hash: 1c0a91b88b143a4d9b2cbc1dde44d6abba1d089573fbefd40a687d5d1d4e4762
Instruction Fuzzy Hash: 5A21E2B5D00248DFDB10CFAAD485AEEFBF5EB48320F14802AE958A7350C778A955CF60

Function 02A8D760 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A8D7E7

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fcff42d0a45ad38f7558a912ba63d5a9584040eee360bd3cb751b27757966f00
Instruction ID: 4aad95c13a268ac82725037bee3ff235ecee41415a4a930fad2a095a9609c8a7
Opcode Fuzzy Hash: fcff42d0a45ad38f7558a912ba63d5a9584040eee360bd3cb751b27757966f00
Instruction Fuzzy Hash: 9221E2B5900208DFDB10CFAAD884ADEFBF8EB48310F14802AE958A3350C774A954CFA1

Function 02A8B078 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02A8B0DE

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 464ae81b06ce8ae736bcf37648800356d51017ac95642a2fa0d31e930ffee44f
Instruction ID: d42852f6c75ada3c10227156ddca28fa6a436aab8b401531810ef16adeefc7ef
Opcode Fuzzy Hash: 464ae81b06ce8ae736bcf37648800356d51017ac95642a2fa0d31e930ffee44f
Instruction Fuzzy Hash: 33110FB5C006498FCB10DF9AC444BDEFBF4AB88318F10842AD868A7210D775A545CFA1

Function 06F005B6 Relevance: .3, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2099749949.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5379cb246905f6585d9cc471f1cfd2f30f62993328563e24ef05ac7fdf112d0
Instruction ID: c5f30ab0b943dfae82f79afb7c40b2993bd52231f2fdecb85adce0932635e800
Opcode Fuzzy Hash: b5379cb246905f6585d9cc471f1cfd2f30f62993328563e24ef05ac7fdf112d0
Instruction Fuzzy Hash: 90B16235F14228DFFBA48B58C844BAA73B7BB85315F1480A5D50AAB384CF719D82DF91

Function 00D7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096146474.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4470388fdd6777841b9458b383dd29f3d2be1d7115c6687f851ce3c4aed64f27
Instruction ID: 703a9cab71272d0425483bf451d046e89be87ef8cd3b85a622bc89f87303f5b6
Opcode Fuzzy Hash: 4470388fdd6777841b9458b383dd29f3d2be1d7115c6687f851ce3c4aed64f27
Instruction Fuzzy Hash: 222103B2504204DFDB04DF10D9C0B26BB76FF98328F24C169E84D0B256D336E856CAB2

Function 00D7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096146474.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10087c1cbe855eea2c1986f2a0b381a217fbb58f5bcbd3374339fd57e98234f7
Instruction ID: ae91b6c143ebf60b5c8c589c73bc652615f68bc5db1130e8958d381ff6d7aca9
Opcode Fuzzy Hash: 10087c1cbe855eea2c1986f2a0b381a217fbb58f5bcbd3374339fd57e98234f7
Instruction Fuzzy Hash: CB21FFB2504240DFDB05DF10D980B26BF76FF88328F24C669E8490A256D336D856CAB2

Function 06F001B7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2099749949.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91406b16b1332bb1e5d238009e6af9e4fb34af73bf0dc1afc27e90c8138e0de9
Instruction ID: ff0998b573aa7131513bfcf498f1c9c10269e67061a10b42626a865d2970c380
Opcode Fuzzy Hash: 91406b16b1332bb1e5d238009e6af9e4fb34af73bf0dc1afc27e90c8138e0de9
Instruction Fuzzy Hash: 0E21D531B41328EFE7544A649C14FF73B66BB46351F044494F54957282CE704E86DFE1

Function 00ECD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096526160.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4bfef6a49bb96cdfd91554cda626e4411317063ed7561bfb15dcd50b281d7b
Instruction ID: 469d0a26d3226d0d184473d39a4200b760d0cce8d38ec1b7786abb7082f295a1
Opcode Fuzzy Hash: ba4bfef6a49bb96cdfd91554cda626e4411317063ed7561bfb15dcd50b281d7b
Instruction Fuzzy Hash: 8721D071608300DFDB14DF18DA85F26BBA6EB88318F20C57DD84A5B296C337D857CA62

Function 00ECD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096526160.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072bf42d5439fd1de38b91682a816af177f604c75f9aa40061ee0b8d458d570b
Instruction ID: d576efe8f8affee84fa4e6a3671796f2d9272b977c8e37b5890db0d9520584ff
Opcode Fuzzy Hash: 072bf42d5439fd1de38b91682a816af177f604c75f9aa40061ee0b8d458d570b
Instruction Fuzzy Hash: FB21BDB1508204AFDB09DF50DA80F26BBA5EB88318F24C57DE8495A2A2C237D856CA61

Function 00ECD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096526160.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56544b6491d84402ebf40d26fa51b11a6e28af1a130642d062a5ddc3439dce7a
Instruction ID: 88a68055f278798ca430e315e4691100e36ae4fc7bd9d70290e0dfa8e0d1f1fd
Opcode Fuzzy Hash: 56544b6491d84402ebf40d26fa51b11a6e28af1a130642d062a5ddc3439dce7a
Instruction Fuzzy Hash: 1A2160755093808FD702CF24D994B15BF71AB46214F28C5EAD8498B6A7C33B980ACB62

Function 00D7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096146474.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: d67e6f6d9ab1bae83637de971e76afb1fa53be50a4869aff9cda3ee74bab12b4
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 2511D376504240DFCB15CF10D5C4B16BF72FF94328F28C6A9D8490B656C33AE85ACBA1

Function 00D7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096146474.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: 11634930fa4040c2db7a3d99a25740c8b3989dbad43717bf68496b109f9c334d
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: D411E676504280CFCB15CF10D5C4B16BF72FF94328F28C6A9D8490B656C336D85ACBA1

Function 00ECD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096526160.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ecd000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction ID: 718000a4a500fee78c6741fcc91ddeade32008660cf7bad90436dfb27b8304af
Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction Fuzzy Hash: 42118B76508280DFCB15CF50DAC4B15BBA1FB84318F24C6AED8494B6A6C33BD85ACB61

Function 00D7D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096146474.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f3e1d52fd55d004ed9b71e1ba34712afb4bb16cacb0a533442c5587a416339
Instruction ID: c5a0e6de6b4d2c5814447bf672267480ebcd041a0eb682fffb529128da83e62a
Opcode Fuzzy Hash: a6f3e1d52fd55d004ed9b71e1ba34712afb4bb16cacb0a533442c5587a416339
Instruction Fuzzy Hash: 7C01DB31008344DBF7285F65CD84B66FBA9DF51324F18C52AED5E0E286E679DC40CAB1

Function 00D7D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096146474.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a40e344638b5f78239a78d593f6a014151ff15a6a515e9572fa53c015d2201
Instruction ID: e30c167cc8bf79cbd93664b1e640bfaccbd743fb5c1dce1d65c4fb3fdadab83d
Opcode Fuzzy Hash: 44a40e344638b5f78239a78d593f6a014151ff15a6a515e9572fa53c015d2201
Instruction Fuzzy Hash: 6CF06D72408344AEE7148E1ADD88B62FBA8EF91734F18C45AED4D4A286D6799C44CAB1

Function 06F0012A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2099749949.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c943183bd264161ed44b5577edcd355a36fbfe37f1cbcbcc30db564941847543
Instruction ID: dca61e02a72609e4f197e638503d672f440805d87de81a4ca11a9368188d1971
Opcode Fuzzy Hash: c943183bd264161ed44b5577edcd355a36fbfe37f1cbcbcc30db564941847543
Instruction Fuzzy Hash: E0F05E30B04308EFFB909F65D844B6A3772FB85214F2085A5E64AAA2C0DE704A86DB52

Function 06F001A1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2099749949.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f26945f1f40f29974439da83b291e2bd90fb249f7033c4dcae2e21108dfb311
Instruction ID: 92ef23b6a74296fa88d101c2716cc6b416813c09cc5d1fcd936be1d32461256e
Opcode Fuzzy Hash: 8f26945f1f40f29974439da83b291e2bd90fb249f7033c4dcae2e21108dfb311
Instruction Fuzzy Hash: A4F06531F14318EFFBE04F64DC44F6933B6FB45614F1085A5A54AA62C0DD708A85DF92

Non-executed Functions

Function 02A8D444 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096951074.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_Axvn7Hegxc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff37e8a9505d641940385298d941e127cec06aee29b403a6c598708098cd8c6
Instruction ID: 016d04d7de9e6e886a0e0d050ad86f57f7bf00796e0ee5bee7315346056a70c3
Opcode Fuzzy Hash: dff37e8a9505d641940385298d941e127cec06aee29b403a6c598708098cd8c6
Instruction Fuzzy Hash: 84A14C36E0020A8FCF05EFB4C9805AEB7B2FF85304B55856AE905EB265EF71D956CB40

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Axvn7Hegxc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Axvn7Hegxc.exe_d756ec9f9fc68ef0931fdd35129335783f5e87_c137846b_34155a04-6fcc-4c3b-8123-28b5f2bf7c01\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER56A3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D1C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D5C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Axvn7Hegxc.exePID: 7416, Parent PID: 3504

General

Windows Analysis Report
Axvn7Hegxc.exe

Function 02A8D508 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 02A8D518 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 02A844F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02A858ED Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 02A8D758 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 02A8D760 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02A8B078 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 06F005B6 Relevance: .3, Instructions: 278
COMMON