Create Interactive Tour

Windows Analysis Report
[SOH] CS1.6 Hack v2.exe

Overview

General Information

Sample name:	[SOH] CS1.6 Hack v2.exe (renamed file extension from bat to exe)
Original sample name:	[SOH] CS1.6 Hack v2.bat
Analysis ID:	1655136
MD5:	4eeab4b5b16939a50019e34f53cc8536
SHA1:	1bcf2a73174f1b388646e0c8db2ade63eb03dd24
SHA256:	0977ee8dff943b199d60adc10077f361611e0428cd4781ff5ae556a0192be1a6
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Classification

Process Tree

System is w10x64

[SOH] CS1.6 Hack v2.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe" MD5: 4EEAB4B5B16939A50019E34F53CC8536)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c color F8 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

WerFault.exe (PID: 7712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 576 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: [SOH] CS1.6 Hack v2.exe	Virustotal: Detection: 59%			Perma Link
Source: [SOH] CS1.6 Hack v2.exe	ReversingLabs: Detection: 63%

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: Amcache.hve.6.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 576

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: Section: .MPRESS1 ZLIB complexity 1.0000960553278688

Source: classification engine

Classification label: mal48.winEXE@5/6@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7528

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\633fd883-c53b-4916-8bf1-4be09e9aaeed

Jump to behavior

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: [SOH] CS1.6 Hack v2.exe	Virustotal: Detection: 59%
Source: [SOH] CS1.6 Hack v2.exe	ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe "C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe"
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F8
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 576
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F8	Jump to behavior

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: real checksum: 0x20397 should be: 0x20410

Source: [SOH] CS1.6 Hack v2.exe	Static PE information: section name: .MPRESS1
Source: [SOH] CS1.6 Hack v2.exe	Static PE information: section name: .MPRESS2

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: section name: .MPRESS1 entropy: 7.996976368895077

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F8

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Software Packing	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
[SOH] CS1.6 Hack v2.exe	60%	Virustotal		Browse
[SOH] CS1.6 Hack v2.exe	64%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1655136
Start date and time:	2025-04-03 00:52:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	[SOH] CS1.6 Hack v2.exe (renamed file extension from bat to exe)
Original Sample Name:	[SOH] CS1.6 Hack v2.bat
Detection:	MAL
Classification:	mal48.winEXE@5/6@0/0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.190.163.18, 184.31.69.3, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
18:53:57	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_[SOH] CS1.6 Hack_d2e752d27c733e64b9b05b113fbd9cc43686c5a_8a141c15_7e724db4-cbf0-4afa-ace4-829a750062d0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8187705350218806
Encrypted:	false
SSDEEP:	96:H5FR7sOqSsOujsOytsnsO9h6nsOf7PfKQXIDcQvc6QcEVcw3cE/MsO4sOz+HbHgd:ZrwbAtb0BU/ojTZzuiFbZ24IO8b
MD5:	C08751FEB3292953B268C4C7FB81849D
SHA1:	40430448810F5386927C8B5ACFD04C26997CCBC0
SHA-256:	0297545A0FB8DDE7DC2B2E869D9FC42B82842ABDB6060F1A5B65D61392D68D80
SHA-512:	ECD0F893DFD814A112EE9C318FFFB29498FFF607CA69F9847D828E75CF6C5E1859E0A4DD4388F21BDC0338E5A1D4C08EC4318D181FAC882B49A7A3171060406E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.8.1.0.8.0.3.4.2.3.5.9.1.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.8.1.0.8.0.3.4.7.3.5.9.0.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.7.2.4.d.b.4.-.c.b.f.0.-.4.a.f.a.-.a.c.e.4.-.8.2.9.a.7.5.0.0.6.2.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.7.1.f.6.9.b.-.8.c.1.0.-.4.b.3.f.-.8.d.8.a.-.5.b.5.6.9.2.b.4.d.1.b.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.[.S.O.H.]. .C.S.1...6. .H.a.c.k. .v.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.8.-.0.0.0.1.-.0.0.1.9.-.8.6.9.7.-.7.b.1.b.2.2.a.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.b.5.7.c.f.7.f.5.0.9.1.9.e.2.c.2.3.6.5.c.c.0.6.7.9.2.7.c.9.6.a.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.c.f.2.a.7.3.1.7.4.f.1.b.3.8.8.6.4.6.e.0.c.8.d.b.2.a.d.e.6.3.e.b.0.3.d.d.2.4.!.[.S.O.H.]. .C.S.1...6. .H.a.c.k.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3266.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Apr 2 22:53:54 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	49026
Entropy (8bit):	2.0974402613877143
Encrypted:	false
SSDEEP:	192:J9AhwR+gMOOOO9GAs8568pU9bwnYWBJMBv3ysy+A0tKAjQieVuk5z:bAnXOJO9GArzYoJMlysvdKAgVuA
MD5:	D3ABA2F14862E62DFBBBC3622A29E3BB
SHA1:	8A4A496A9E3D18690DE01EB896E19755BD5156B8
SHA-256:	8E110F6803E5D10560990886CA3F2B93E6E44F9D28DB6EB60A3356F803F12A96
SHA-512:	4AF56ABF2844F1270F77032F22E735FB553D388FEA86BF9B6C959C525527B3856B93DA048AB71FB934D9F20C0D1449A8BE87A7102B90C3BA48170673A9651B3D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g....................................$...........T....*..........`.......8...........T...............z.......................................................................................................eJ..............GenuineIntel............T.......h......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3312.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.705025873047624
Encrypted:	false
SSDEEP:	192:R6l7wVeJXj66d6YZiSU9WqgmfhHpr+89bexsfyqm:R6lXJz66d6YcSU9Wqgmfh9eqfW
MD5:	CFC60879473BCBE1235CBABDE86601F7
SHA1:	AF52AD6F24638BC00F29D3A565050E38916C5085
SHA-256:	4F44B9A625BD4F577E9BCE191F941AE6060BA2112D338A1FE89AA41F7A00B4F3
SHA-512:	6B79700027196E79C94A3602F4304929B621910F3FB1E3CE30465EC0CF753D87E3603CB8F7247C507EFA449EEE56F5813B7CAEE7066274CCB4C5A8FE691DF6A3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3352.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4646
Entropy (8bit):	4.500667350444125
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmSJg77aI9/MWpW8VYCYm8M4JWanrFgJ+q8VI53L2C8Usvd:uIjfmgI7Fl7VKJaJRr87vd
MD5:	A34F16B32EE0DACF237A457A9E0EF59B
SHA1:	70B5094A8AB180B2B80A0C8218973DE63589079A
SHA-256:	60BBFFF2B9BF6982A169E1D8685ADA635B600BE0F1E86C24ADC818DA32D7A284
SHA-512:	14F6F1325D6DCB31558431CFE748F769098C0A68965D56ECE8310183BD27CB6D4B543984BFF50FFB73C94DB83445C510ABC2BCA46CC8E408379ABC605319708C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="788516" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.471857372939963
Encrypted:	false
SSDEEP:	6144:qzZfpi6ceLPx9skLmb0fjZWSP3aJG8nAgeiJRMMhA2zX4WABlFuNKjDH5S:sZHtjZWOKnMM6bFkMj4
MD5:	B7978DBB7EFE6D537461852783A49763
SHA1:	F382CD76506FA6CA38CF6BBDB2354CF69225EB64
SHA-256:	8BE670DD2F5C99121D5CFC26025343BCBC2E11465F1A9D86D17126AFA058FB06
SHA-512:	E9EA55996299E23FDCB2DD64F5D37BE4E54DC60B9941ACFFBB7EDA5D59DC58E4843850EB9AC789EADD54467E82DFF2C94B2355965FF892FFD05081DEBEE9F54A
Malicious:	false
Reputation:	low
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.`.."................................................................................................................................................................................................................................................................................................................................................../........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.5216406363433186
Encrypted:	false
SSDEEP:	3:jwn:jwn
MD5:	2F64267CB717CEE85054093DA85FD90A
SHA1:	143C26032E49EDE7EB60483F92104855AC658995
SHA-256:	8B1E909395FA237DD09D038F5A27F6B43E381F29AB50ACD2653B2DE9411EC88D
SHA-512:	50827B561805DDABBBDFAC826A166468272C1877C924C7E64BFDC16DC46BBE4DEEDA5BC6F5421BCF0AE1989ACFE83B8A53E1674127BDED9D3401DEB67C10F31E
Malicious:	false
Reputation:	low
Preview:	Start..

Static File Info

General

File type:	MS-DOS executable PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.948939926981446
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	[SOH] CS1.6 Hack v2.exe
File size:	67'585 bytes
MD5:	4eeab4b5b16939a50019e34f53cc8536
SHA1:	1bcf2a73174f1b388646e0c8db2ade63eb03dd24
SHA256:	0977ee8dff943b199d60adc10077f361611e0428cd4781ff5ae556a0192be1a6
SHA512:	48adf7ed1da4046add7d3fb974800210380b09467f8884591e1931297145c44f9a4c1a7b9ed191f7b5547ec6b718134553f6e6def6d31c578da6ccbaa58fb90f
SSDEEP:	1536:SJx5JMnXmqrxr5MHVIZ675/tOCqRm45BIJFMJ3Li0BXXTOM5:SJQRVr53Z6tt7qRzYFh0BXXh
TLSH:	1C630252909B6B3CC279C33B18BF05E24864385B81A6DB73D7CB51A6ED287C8214C3B3
File Content Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L...gv\|O.................~...:....................@.......................... ................... .........................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4301a6
Entrypoint Section:	.MPRESS2
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F7C7667 [Wed Apr 4 16:27:19 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4b56b32aa086612dc2211b44e12d520f

Entrypoint Preview

Instruction
pushad
call 00007F6AB08E7A95h
pop eax
add eax, 00000B5Ah
mov esi, dword ptr [eax]
add esi, eax
sub eax, eax
mov edi, esi
lodsw
shl eax, 0Ch
mov ecx, eax
push eax
lodsd
sub ecx, eax
add esi, ecx
mov ecx, eax
push edi
push ecx
dec ecx
mov al, byte ptr [ecx+edi+06h]
mov byte ptr [ecx+esi], al
jne 00007F6AB08E7A88h
sub eax, eax
lodsb
mov ecx, eax
and cl, FFFFFFF0h
and al, 0Fh
shl ecx, 0Ch
mov ch, al
lodsb
or ecx, eax
push ecx
add cl, ch
mov ebp, FFFFFD00h
shl ebp, cl
pop ecx
pop eax
mov ebx, esp
lea esp, dword ptr [esp+ebp*2-00000E70h]
push ecx
sub ecx, ecx
push ecx
push ecx
mov ecx, esp
push ecx
mov dx, word ptr [edi]
shl edx, 0Ch
push edx
push edi
add ecx, 04h
push ecx
push eax
add ecx, 04h
push esi
push ecx
call 00007F6AB08E7AF3h
mov esp, ebx
pop esi
pop edx
sub eax, eax
mov dword ptr [edx+esi], eax
mov ah, 10h
sub edx, eax
sub ecx, ecx
cmp ecx, edx
jnc 00007F6AB08E7AB8h
mov ebx, ecx
lodsb
inc ecx
and al, FEh
cmp al, E8h
jne 00007F6AB08E7A84h
inc ebx
add ecx, 04h
lodsd
or eax, eax
js 00007F6AB08E7A98h
cmp eax, edx
jnc 00007F6AB08E7A77h
jmp 00007F6AB08E7A98h
add eax, ebx
js 00007F6AB08E7A71h
add eax, edx
sub eax, ebx
mov dword ptr [esi-04h], eax
jmp 00007F6AB08E7A68h
call 00007F6AB08E7A95h
pop edi
add edi, FFFFFF4Dh
mov al, E9h
stosb
mov eax, 00000B56h
stosd
call 00007F6AB08E7A95h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30000	0x1a8	.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x300a0	0x38	.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.MPRESS1	0x1000	0x2f000	0xf400	32ad70d792a0d1c06e7e6ad41fbc9da7	False	1.0000960553278688	data	7.996976368895077	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.MPRESS2	0x30000	0xd10	0xe00	07e8cde14ef459b98c3305cce8570fe6	False	0.5463169642857143	data	5.753649772857798	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x31000	0x2b0	0x400	921e2b5a4bcfc94d1b4c9fd8e1b0e982	False	0.3525390625	data	4.100127979411817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x31058	0x256	ASCII text, with CRLF line terminators	English	United States	0.5100334448160535

Imports

DLL	Import
KERNEL32.DLL	GetModuleHandleA, GetProcAddress
USER32.dll	GetDC
GDI32.dll	CreateFontA
WINMM.dll	timeGetTime
OPENGL32.dll	glGenLists
SHLWAPI.dll	PathStripPathA
MSVCR90.dll	rand

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• [SOH] CS1.6 Hack v2.exe
• conhost.exe
• cmd.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• [SOH] CS1.6 Hack v2.exe
• conhost.exe
• cmd.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: [SOH] CS1.6 Hack v2.exePID: 7528, Parent PID: 496

Function Logs

General

Target ID:	0
Start time:	18:53:53
Start date:	02/04/2025
Path:	C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe"
Imagebase:	0x400000
File size:	67'585 bytes
MD5 hash:	4EEAB4B5B16939A50019E34F53CC8536
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7536, Parent PID: 7528

Function Logs

General

Target ID:	1
Start time:	18:53:53
Start date:	02/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7588, Parent PID: 7528

Function Logs

General

Target ID:	2
Start time:	18:53:53
Start date:	02/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c color F8
Imagebase:	0x2a0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7712, Parent PID: 7528

Function Logs

General

Target ID:	6
Start time:	18:53:54
Start date:	02/04/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 576
Imagebase:	0xe70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Monitored

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Process Suspended

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report [SOH] CS1.6 Hack v2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_[SOH] CS1.6 Hack_d2e752d27c733e64b9b05b113fbd9cc43686c5a_8a141c15_7e724db4-cbf0-4afa-ace4-829a750062d0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3266.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3312.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3352.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: [SOH] CS1.6 Hack v2.exePID: 7528, Parent PID: 496

Windows Analysis Report
[SOH] CS1.6 Hack v2.exe