Create Interactive Tour

Windows Analysis Report
e8k60omgBH

Overview

General Information

Sample Name:	e8k60omgBH (renamed file extension from none to exe)
Analysis ID:	571416
MD5:	979bb3e11a8127d6424b9757c7acc18a
SHA1:	6ee49291a57017b6a1e4505ac78ad8626770d470
SHA256:	0e8a0e3b16fe1d9812eaaa168ffc955099b32c0e8b927c1ca638a2af908cdc36
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Machine Learning detection for sample

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

One or more processes crash

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Detected potential crypto function

IP address seen in connection with other malware

Enables debug privileges

Classification

Process Tree

System is w10x64

e8k60omgBH.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\e8k60omgBH.exe" MD5: 979BB3E11A8127D6424B9757C7ACC18A)

WerFault.exe (PID: 5364 cmdline: C:\Windows\system32\WerFault.exe -u -p 6952 -s 1420 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
e8k60omgBH.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x19b0:$v3_1: localhost.IUserServiceu 0xf09:$v3_2: ParseNetworkInterfaces 0x1a00:$v3_3: ReplyAction0http://tempuri.org/IUserService/GetUsersResponse 0x19ce:$v3_4: Action(http://tempuri.org/IUserService/GetUsersT 0x1722:$v3_5: basicCfg

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.e8k60omgBH.exe.e80000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x19b0:$v3_1: localhost.IUserServiceu 0xf09:$v3_2: ParseNetworkInterfaces 0x1a00:$v3_3: ReplyAction0http://tempuri.org/IUserService/GetUsersResponse 0x19ce:$v3_4: Action(http://tempuri.org/IUserService/GetUsersT 0x1722:$v3_5: basicCfg
1.0.e8k60omgBH.exe.e80000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x19b0:$v3_1: localhost.IUserServiceu 0xf09:$v3_2: ParseNetworkInterfaces 0x1a00:$v3_3: ReplyAction0http://tempuri.org/IUserService/GetUsersResponse 0x19ce:$v3_4: Action(http://tempuri.org/IUserService/GetUsersT 0x1722:$v3_5: basicCfg
1.0.e8k60omgBH.exe.e80000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x19b0:$v3_1: localhost.IUserServiceu 0xf09:$v3_2: ParseNetworkInterfaces 0x1a00:$v3_3: ReplyAction0http://tempuri.org/IUserService/GetUsersResponse 0x19ce:$v3_4: Action(http://tempuri.org/IUserService/GetUsersT 0x1722:$v3_5: basicCfg
1.0.e8k60omgBH.exe.e80000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x19b0:$v3_1: localhost.IUserServiceu 0xf09:$v3_2: ParseNetworkInterfaces 0x1a00:$v3_3: ReplyAction0http://tempuri.org/IUserService/GetUsersResponse 0x19ce:$v3_4: Action(http://tempuri.org/IUserService/GetUsersT 0x1722:$v3_5: basicCfg

Sigma Signatures

⊘No Sigma rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: e8k60omgBH.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: e8k60omgBH.exe	Virustotal: Detection: 73%			Perma Link
Source: e8k60omgBH.exe	ReversingLabs: Detection: 88%

Antivirus detection for URL or domain

Source: http://tempuri.org/IUserService/GetUsersResponse	Avira URL Cloud: Label: phishing
Source: http://tempuri.org/IUserService/GetUsersT	Avira URL Cloud: Label: phishing
Source: http://tempuri.org/IUserService/GetUsers	Avira URL Cloud: Label: phishing

Machine Learning detection for sample

Source: e8k60omgBH.exe

Joe Sandbox ML: detected

Source: e8k60omgBH.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: e8k60omgBH.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\e8k60omgBH.PDB source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDS source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.Internals.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb.u source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\e8k60omgBH.PDB source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdbG> source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SMDiagnostics.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb.LP; source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e8k60omgBH.PDB source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbIBC; source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.337478911.0000000001324000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb.0 source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbMZ source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb u source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbHu`;! source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdbRSDS source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbTut;% source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Runtime.Serialization.pdb` source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.ni.pdbRSDSO source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbK source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.337794542.000000001BCB0000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb.u source: e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb"Ll; source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModellib.pdb source: e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.ni.pdb source: WER1362.tmp.dmp.17.dr

Source: global traffic

TCP traffic: 192.168.2.3:49745 -> 185.153.198.216:8010

Source: Joe Sandbox View

IP Address: 185.153.198.216 185.153.198.216

Source: unknown	TCP traffic detected without corresponding DNS query: 185.153.198.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.153.198.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.153.198.216

Source: e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.153.198.216:8010
Source: e8k60omgBH.exe	String found in binary or memory: http://185.153.198.216:8010/UserService
Source: e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.153.198.216:8010x
Source: e8k60omgBH.exe	String found in binary or memory: http://schemas.datacontract.org/2004/07/Server.Models
Source: e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Server.ModelsXn1g
Source: e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: e8k60omgBH.exe, 00000001.00000000.339335738.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
Source: e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: e8k60omgBH.exe, 00000001.00000000.339335738.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsers
Source: e8k60omgBH.exe	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: e8k60omgBH.exe	String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: e8k60omgBH.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.e8k60omgBH.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.e8k60omgBH.exe.e80000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.e8k60omgBH.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.0.e8k60omgBH.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: e8k60omgBH.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: e8k60omgBH.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.e8k60omgBH.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.e8k60omgBH.exe.e80000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.e8k60omgBH.exe.e80000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.0.e8k60omgBH.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: e8k60omgBH.exe	Binary or memory string: OriginalFilename vs e8k60omgBH.exe
Source: e8k60omgBH.exe, 00000001.00000000.337381244.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e8k60omgBH.exe
Source: e8k60omgBH.exe, 00000001.00000002.354517240.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOppilates.exeD vs e8k60omgBH.exe
Source: e8k60omgBH.exe, 00000001.00000002.354571477.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e8k60omgBH.exe
Source: e8k60omgBH.exe	Binary or memory string: OriginalFilenameOppilates.exeD vs e8k60omgBH.exe

Source: C:\Users\user\Desktop\e8k60omgBH.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6952 -s 1420

Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70AAA	1_2_00007FFC08B70AAA
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70358	1_2_00007FFC08B70358
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70318	1_2_00007FFC08B70318
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70137	1_2_00007FFC08B70137
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70283	1_2_00007FFC08B70283
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70298	1_2_00007FFC08B70298
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70183	1_2_00007FFC08B70183
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70383	1_2_00007FFC08B70383
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Code function: 1_2_00007FFC08B70380	1_2_00007FFC08B70380

Source: e8k60omgBH.exe	Virustotal: Detection: 73%
Source: e8k60omgBH.exe	ReversingLabs: Detection: 88%

Source: C:\Users\user\Desktop\e8k60omgBH.exe

File read: C:\Users\user\Desktop\e8k60omgBH.exe

Jump to behavior

Source: e8k60omgBH.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\e8k60omgBH.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\e8k60omgBH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e8k60omgBH.exe "C:\Users\user\Desktop\e8k60omgBH.exe"
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6952 -s 1420

Source: C:\Users\user\Desktop\e8k60omgBH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6952

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1362.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.winEXE@2/5@0/2

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\e8k60omgBH.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: e8k60omgBH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e8k60omgBH.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\e8k60omgBH.PDB source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDS source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.Internals.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb.u source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\e8k60omgBH.PDB source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdbG> source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SMDiagnostics.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb.LP; source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e8k60omgBH.PDB source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbIBC; source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.337478911.0000000001324000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb.0 source: e8k60omgBH.exe, 00000001.00000000.337343532.0000000000FC2000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdbMZ source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb u source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbHu`;! source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdbRSDS source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbTut;% source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Runtime.Serialization.pdb` source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.ni.pdbRSDSO source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Configuration.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbK source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.337794542.000000001BCB0000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, WER1362.tmp.dmp.17.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb.u source: e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: e8k60omgBH.exe, 00000001.00000000.338748380.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb"Ll; source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Core.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModellib.pdb source: e8k60omgBH.exe, 00000001.00000002.354604919.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ni.pdb source: WER1362.tmp.dmp.17.dr
Source:	Binary string: System.ServiceModel.ni.pdb source: WER1362.tmp.dmp.17.dr

Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: e8k60omgBH.exe, 00000001.00000000.337821748.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.357747923.000000001BCC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\e8k60omgBH.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\e8k60omgBH.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\e8k60omgBH.exe	Queries volume information: C:\Users\user\Desktop\e8k60omgBH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e8k60omgBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\e8k60omgBH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
e8k60omgBH.exe	74%	Virustotal		Browse
e8k60omgBH.exe	88%	ReversingLabs	ByteCode-MSIL.Spyware.SmallAgent
e8k60omgBH.exe	100%	Avira	HEUR/AGEN.1141169
e8k60omgBH.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.e8k60omgBH.exe.e80000.0.unpack	100%	Avira	HEUR/AGEN.1141169	Download File
1.0.e8k60omgBH.exe.e80000.2.unpack	100%	Avira	HEUR/AGEN.1141169	Download File
1.2.e8k60omgBH.exe.e80000.0.unpack	100%	Avira	HEUR/AGEN.1141169	Download File
1.0.e8k60omgBH.exe.e80000.1.unpack	100%	Avira	HEUR/AGEN.1141169	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://tempuri.org/IUserService/GetUsersResponse	0%	Virustotal		Browse
http://tempuri.org/IUserService/GetUsersResponse	100%	Avira URL Cloud	phishing
http://tempuri.org/IUserService/GetUsersT	1%	Virustotal		Browse
http://tempuri.org/IUserService/GetUsersT	100%	Avira URL Cloud	phishing
http://185.153.198.216:8010	4%	Virustotal		Browse
http://185.153.198.216:8010	0%	Avira URL Cloud	safe
http://185.153.198.216:8010/UserService	4%	Virustotal		Browse
http://185.153.198.216:8010/UserService	0%	Avira URL Cloud	safe
http://185.153.198.216:8010x	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/Server.Models	0%	Avira URL Cloud	safe
http://tempuri.org/IUserService/GetUsers	100%	Avira URL Cloud	phishing
http://schemas.datacontract.org/2004/07/Server.ModelsXn1g	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/IUserService/GetUsersResponse	e8k60omgBH.exe	true	0%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP	e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/IUserService/GetUsersT	e8k60omgBH.exe	true	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.153.198.216:8010	e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.153.198.216:8010/UserService	e8k60omgBH.exe	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	e8k60omgBH.exe, 00000001.00000000.339335738.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.153.198.216:8010x	e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://tempuri.org/	e8k60omgBH.exe, 00000001.00000000.339335738.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.17.dr	false		high
http://schemas.datacontract.org/2004/07/Server.Models	e8k60omgBH.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/IUserService/GetUsers	e8k60omgBH.exe, 00000001.00000002.357437513.00000000032BB000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/soap/actor/next	e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/Server.ModelsXn1g	e8k60omgBH.exe, 00000001.00000000.339214455.0000000003201000.00000004.00000800.00020000.00000000.sdmp, e8k60omgBH.exe, 00000001.00000002.354981631.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.153.198.216	unknown	Russian Federation		49877	RMINJINERINGRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	571416
Start date:	13.02.2022
Start time:	13:23:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	e8k60omgBH (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.winEXE@2/5@0/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1.3%) Quality average: 69.5% Quality standard deviation: 40.2%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Execution Graph export aborted for target e8k60omgBH.exe, PID 6952 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:25:20	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.153.198.216	pbFsdsbUO4.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	6o3jsUecIi.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	X6CTIowB1I.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	8xpBA9yGG1.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	q2nqf1zIqN.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	JnR2fIwrPd.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	s2ssQd4Ge3.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	FzAUg3Pgpe.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	m0OTSDFkce.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	xWXM0TwiQX.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	Nn9dFiCWR0.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	nTiza8je9A.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService
	77ocUYRJgB.exe	Get hash	malicious	Browse	185.153.198.216:8010/UserService

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RMINJINERINGRU	BFB5D8AB558D5057F1980C1BAB9BFB8215D43F41F0065.exe	Get hash	malicious	Browse	87.251.71.82
	E10C2C073D337A5CD7BC1FE1FB48B314730D257FB0D21.exe	Get hash	malicious	Browse	87.251.71.64
	ileEIP26cf.exe	Get hash	malicious	Browse	87.251.71.64
	G2Shy4flZe.exe	Get hash	malicious	Browse	87.251.71.44
	BC2CCE5055F9411C04EDEEE699D7161C257574B4C5540.exe	Get hash	malicious	Browse	87.251.71.195
	srJfa3GmXh.exe	Get hash	malicious	Browse	87.251.71.44
	oGC5UCbzoL.exe	Get hash	malicious	Browse	87.251.71.44
	nVJouCa1cO.exe	Get hash	malicious	Browse	87.251.71.44
	GIqD5HuY5M.exe	Get hash	malicious	Browse	87.251.71.64
	J3Z409zKc6.exe	Get hash	malicious	Browse	87.251.71.44
	SHxBXBGCyS.exe	Get hash	malicious	Browse	185.153.198.58
	WyhX1MJx8v.exe	Get hash	malicious	Browse	87.251.71.68
	6clffER1J0.exe	Get hash	malicious	Browse	185.153.198.58
	SmartPDF.exe	Get hash	malicious	Browse	87.251.71.14
	e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a6.exe	Get hash	malicious	Browse	87.251.71.14
	e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a6.exe	Get hash	malicious	Browse	87.251.71.14
	c0Xw0E5XyC.exe	Get hash	malicious	Browse	87.251.71.8
	208660089575DBEF9E473AE2B2556E5492E8739376D39.exe	Get hash	malicious	Browse	87.251.71.195
	4k5PIAk2z2.exe	Get hash	malicious	Browse	87.251.71.8
	ftCytTSz94.exe	Get hash	malicious	Browse	87.251.71.8

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_e8k60omgBH.exe_d33dd7c6dac0c4cca61d80baa15e5972586dbdb_2fe487e9_1490243b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1136918200094301
Encrypted:	false
SSDEEP:	192:Z8ze2oFxHEXFM8a1xjUJ+x/u7sQS274ltJxz:Ke2ozE1M8arQAx/u7sQX4ltJ
MD5:	2371A0E400C554BAECBB8119B563113C
SHA1:	C75ADE2D5FCFC75D20D9A7D1B2C125C6FF1FBCF5
SHA-256:	FEB45A570A83CE543C387CB6FA409D448F3828D5CC7CEC70DFF91C0E56C43634
SHA-512:	9A6E60EFE8467405CE5E8654E626514F3124A04659D2043B2389E99F589D11FEB0627B42522E7C550DBD1B96CC202A252DD3801ED1A351CF8789C927C0CE3DBE
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.9.2.6.1.1.1.5.8.0.8.7.9.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.9.2.6.1.1.1.8.8.0.8.7.7.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.3.f.c.b.a.5.-.a.d.5.3.-.4.3.a.e.-.9.a.b.3.-.c.a.9.5.0.8.d.f.c.d.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.f.9.e.3.8.b.-.0.0.3.b.-.4.d.e.1.-.a.e.0.d.-.4.6.3.d.8.7.1.d.8.e.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.8.k.6.0.o.m.g.B.H...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.p.p.i.l.a.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.8.-.0.0.0.1.-.0.0.1.c.-.4.f.3.4.-.0.e.2.0.2.0.2.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.3.0.f.f.8.3.5.5.3.c.1.8.e.9.8.2.2.f.7.9.a.a.9.e.2.9.8.0.c.0.0.0.0.0.0.0.0.0.!.0.0.0.0.6.e.e.4.9.2.9.1.a.5.7.0.1.7.b.6.a.1.e.4.5.0.5.a.c.7.8.a.d.8.6.2.6.7.7.0.d.4.7.0.!.e.8.k.6.0.o.m.g.B.H.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1362.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Feb 13 21:25:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	461577
Entropy (8bit):	3.3815761932837227
Encrypted:	false
SSDEEP:	3072:gvxf2Vq07Nda8mYopvArYfnJnv56Bo4ylBz8F0+gTcgvwWGAEfkBm+PZkl9cEvGh:uhdiy8mDp4Yfnb6BYSMwWw8PZeGh
MD5:	33171459454CEC2BF7E79FBC297B003E
SHA1:	8C58E18D5BACB9E01D32FA5193A9B040CAA09BB4
SHA-256:	70EE5B7D4C47DFDFD229F989F9FCD6CCABB230CB8AE63659E9310B91B7E0053E
SHA-512:	877AF606F76440C617626933E57FF9A7A7C151F2BE3A79FCCD17821EC9566667E1DA5A4FFD922FB2B0E006BFBD6BF4CED98048FE12A91E563479142400DC55D8
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......<w.b....................................<....!..........("......TC...l..........l.......8...........T............7..1............-.........../...................................................................U...........B......l0......Lw.....................T.......(....w.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER197E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8616
Entropy (8bit):	3.703982641691963
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi+d/6YFv//s+kgmfZNS5MCpr/89baypf/G+m:RrlsNiU/6Yd//sNgmfjSKa8fu
MD5:	D1BCD309C97AE6317FE6A53C6F501F62
SHA1:	ED43C293B12ACD28CC64AFD289ED7E14C688D126
SHA-256:	ECA9AF027DCDEB2813E870C7FB46A42CE6F73B25550FAF5ED748EEFFB4A75315
SHA-512:	68EBDAD998D5BB14C79A3EE673A5249B4F386728B15C27B63B0DD15972293C33CC052071A31A248828A4F64E17A67B1F3709860BAC2286E36832B15CCFB77991
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AA7.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4792
Entropy (8bit):	4.49915177448768
Encrypted:	false
SSDEEP:	48:cvIwSD8zsDtJgtBI9TzWSC8Bg8fm8M4JEumaF5jyq8vbumaergd:uITfDHVCSNTJZ1jWKNergd
MD5:	972357F1364452662EC1C69690FB45EA
SHA1:	A43147C45A42840CF93B7F97648ECB4E10021CBD
SHA-256:	DC10FCE88C5EC9C52A8C45F85C7B342A1FBCF8FFF6405D96C48C9FA33943A8EC
SHA-512:	2D659A2838B0C5512AC0E4304465FBBC3B1FF4D899798492BB568AAB570424B7492AF24114E290152B182F2BFCA59664E0351480ED7CF6B744C2FF068A9D49DF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1385675" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.270336510312646
Encrypted:	false
SSDEEP:	12288:gwp0Th312ap8TSP5ve7dcb5GMtzr8VxmoKwPjMQ2ZlPfq+kwX2jed:Tp0Th312ap8TSPd5
MD5:	73005698AF761286C4E76E4AD59458D3
SHA1:	7658260058B22BA1E23888F472096C0CABF1CDCE
SHA-256:	79349684D7B6E38043FCBCCAC16B6DE1ADC8CA1054FF4EBF772DAC459077C85C
SHA-512:	7D0C29F023B2E7F244F8E608DE1A7414345987E3D2F68064CBE61D899155BAB0F80AF102A07D971AE80CE4956D14A1B6E5D9C83CE88772233BAB6327AA8773BF
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.V$1 !................................................................................................................................................................................................................................................................................................................................................/l........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.952774145620681
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	e8k60omgBH.exe
File size:	9728
MD5:	979bb3e11a8127d6424b9757c7acc18a
SHA1:	6ee49291a57017b6a1e4505ac78ad8626770d470
SHA256:	0e8a0e3b16fe1d9812eaaa168ffc955099b32c0e8b927c1ca638a2af908cdc36
SHA512:	63bc1a073c19b33c931faa122a3f505ff5b7b9b4b168391c68cdb38dda657711abe5a2c730ee5bdd790349d9e509b73b39f11d2de258ea13786677e0b3bf9d4e
SSDEEP:	96:R2zsKnbnK4Mm/oPj9/pPPeW8byZZ3Yy93VyWCYdwXzsamQoPIDcSfXhjzNt:RMsK9MuILXeMZZ3r93VnjdwXz43RKhl
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8`............................n9... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40396e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60389FF6 [Fri Feb 26 07:15:02 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3918	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1974	0x1a00	False	0.514122596154	data	5.61916850515	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x610	0x800	False	0.357421875	data	3.48527628546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x40a0	0x37c	data
RT_MANIFEST	0x4420	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	tVEXnrevJwV
Assembly Version	1.0.0.0
InternalName	Oppilates.exe
FileVersion	1.0.0.0
CompanyName	gcsuXqltIlTE
LegalTrademarks	ajSlULNHlvKfoIYce
Comments	rSEWZmSPNb
ProductName	hYHCFokXSPsiBiTR
ProductVersion	1.0.0.0
FileDescription	HdmIwlJQiQJDnSDG
OriginalFilename	Oppilates.exe

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
02/13/22-13:24:52.367074	ICMP	399	ICMP Destination Unreachable Host Unreachable	217.26.164.50	192.168.2.3
02/13/22-13:24:57.086713	ICMP	399	ICMP Destination Unreachable Host Unreachable	217.26.164.50	192.168.2.3
02/13/22-13:25:03.086587	ICMP	399	ICMP Destination Unreachable Host Unreachable	217.26.164.50	192.168.2.3

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 13, 2022 13:24:51.027466059 CET	49745	8010	192.168.2.3	185.153.198.216
Feb 13, 2022 13:24:54.032190084 CET	49745	8010	192.168.2.3	185.153.198.216
Feb 13, 2022 13:25:00.032541037 CET	49745	8010	192.168.2.3	185.153.198.216

Statistics

Click to jump to process

Memory Usage

• e8k60omgBH.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• e8k60omgBH.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: e8k60omgBH.exePID: 6952, Parent PID: 1372

Function Logs

General

Target ID:	1
Start time:	13:24:46
Start date:	13/02/2022
Path:	C:\Users\user\Desktop\e8k60omgBH.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\e8k60omgBH.exe"
Imagebase:	0xe80000
File size:	9728 bytes
MD5 hash:	979BB3E11A8127D6424B9757C7ACC18A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Network Activities

Socket bound

Socket connected

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5364, Parent PID: 6952

Function Logs

General

Target ID:	17
Start time:	13:25:15
Start date:	13/02/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6952 -s 1420
Imagebase:	0x7ff74b170000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Value Modified

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: e8k60omgBH.exePID: 6952, Parent PID: 1372COMMON

Executed Functions

Function 00007FFC08B70137 Relevance: 4.4, Strings: 3, Instructions: 630COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 60be1c8a239d2ba84dfb15ef031cc36932335d86596fcb83fb1dc810e7f407a8
Instruction ID: 4818d2eb5862489d631938da2bbb11358f4dcc20b3ad6dce76dc91ee6f3e461c
Opcode Fuzzy Hash: 60be1c8a239d2ba84dfb15ef031cc36932335d86596fcb83fb1dc810e7f407a8
Instruction Fuzzy Hash: 15020962A0C96A8FEB54F72C64961F97B92EF863307540177D04DCB1E3DE18684BC369

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70183 Relevance: 4.4, Strings: 3, Instructions: 626COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 1e3714de7e3c74de53bc860eb3611ba2ddb5227b1007a9dd7a75371e30f08907
Instruction ID: 35d0f44644ac6f3b65b55feebccd94a7f87e754586e57b94c53fe18df9d8c552
Opcode Fuzzy Hash: 1e3714de7e3c74de53bc860eb3611ba2ddb5227b1007a9dd7a75371e30f08907
Instruction Fuzzy Hash: 44021A62A0C96A8FEB54F72C68961F97792EF863307540177D04DC71E3EE18684BC369

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70283 Relevance: 4.3, Strings: 3, Instructions: 539COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 6997ccc9a10e2e705bf072dcdf9922f26f70fdb215052fc03bf08a7a9fc4424e
Instruction ID: a49b6525852d5a414b941cfe3b9b40ecbf2283ca2612f1dfe498dff696c9dd48
Opcode Fuzzy Hash: 6997ccc9a10e2e705bf072dcdf9922f26f70fdb215052fc03bf08a7a9fc4424e
Instruction Fuzzy Hash: DAF12922A0C96A8FEB54F72C68961F87791EF9A33075441BAD04DC71E3DE18684BC369

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70298 Relevance: 4.3, Strings: 3, Instructions: 525COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 75101e67a6e27647fafc7bdf8e1df67d4bcc7a3f80c589f9e8da25115520d8c0
Instruction ID: 8c19a4af76f572f42001ed0f5cfcb1c86ee6c4232bd00d3d0a7e9d0fdcec0c81
Opcode Fuzzy Hash: 75101e67a6e27647fafc7bdf8e1df67d4bcc7a3f80c589f9e8da25115520d8c0
Instruction Fuzzy Hash: ACF12A22A0C96A8FEB54F72C68961F87791EF9A33075441BBD04DC71E3DE18684BC369

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70318 Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 407db55f3a5c67c517ce7b659f83b9ae4cc6fcecc511409234381ced409f5642
Instruction ID: bdc4d3347622e19086e39a1d0bc2c3aaf328654b720f83f48eaf19a8fb4bff32
Opcode Fuzzy Hash: 407db55f3a5c67c517ce7b659f83b9ae4cc6fcecc511409234381ced409f5642
Instruction Fuzzy Hash: 51D1F622B0C96E8FEB54F62C54962F877D2EF9A320B54417AD00DC72D3DE18684BC365

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70383 Relevance: 4.2, Strings: 3, Instructions: 445COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 4328db9817311d59d07fb4402d48a14664f4cc0fc162a2663e0634755bfdaa0e
Instruction ID: 9f83add76f4b3c5d834bf5f8e4bc2646e1f08c19b6625eada0250a9735e9414a
Opcode Fuzzy Hash: 4328db9817311d59d07fb4402d48a14664f4cc0fc162a2663e0634755bfdaa0e
Instruction Fuzzy Hash: FAD10722B0C96A8FEB54F62C54962F877D2FF9A320764417AD04DC72D3DD18A847C365

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70380 Relevance: 4.2, Strings: 3, Instructions: 444COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 4b3d5e7bdb9929805c51677669bdf578ccab8db9a862e16b08cb1d90fc97a653
Instruction ID: 519fa9ab7726c303ae742f94970ca43a96332912e98a24b05bccd254f1e89ceb
Opcode Fuzzy Hash: 4b3d5e7bdb9929805c51677669bdf578ccab8db9a862e16b08cb1d90fc97a653
Instruction Fuzzy Hash: 90D1F622B0C96A8FEB94F62C54962F877D2EF9A320B54417AD04DC72D3DE18A847C365

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70358 Relevance: 4.2, Strings: 3, Instructions: 434COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 27ed742b2c2e3ccfa48018f75d28879cecac897779331432f83d7f0f9b63fb8f
Instruction ID: 8d75ebdec2e8350ed738f9c6539d537de97943d7619fee6d0cdc82669c6c5d94
Opcode Fuzzy Hash: 27ed742b2c2e3ccfa48018f75d28879cecac897779331432f83d7f0f9b63fb8f
Instruction Fuzzy Hash: EEC1E421B0C96A8FEB94F66C54962B877D2FF9A320B64417AD00DC72D3DE18A847C365

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70AAA Relevance: 2.0, Strings: 1, Instructions: 734COMMON

Download Yara Rule

Strings

6a_^, xrefs: 00007FFC08B70BB1

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: 6a_^
API String ID: 0-216130590
Opcode ID: 27b1748ee7247f561e933d89559c68f37c1a84b0483e17b179ce92b6bebe25eb
Instruction ID: 67ee5761e8e1efd796de80791bcd4f711b62551ede9d1f8d9fd7b31b8d314efd
Opcode Fuzzy Hash: 27b1748ee7247f561e933d89559c68f37c1a84b0483e17b179ce92b6bebe25eb
Instruction Fuzzy Hash: 20220857A0D6AA4EEA21B67C78561E57BA1EF8333071440B7D08CCA0E3DE18594FC3B9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B703F0 Relevance: 4.2, Strings: 3, Instructions: 402COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 6f0b26c5a8d9a1b281b54643ad0d5f1171360b82d80ac2f8ec926f1ab4f53849
Instruction ID: e5c04f7f749e501b8ea3a8df6a5f458f4a408a650434709fce3b2d000023b4e4
Opcode Fuzzy Hash: 6f0b26c5a8d9a1b281b54643ad0d5f1171360b82d80ac2f8ec926f1ab4f53849
Instruction Fuzzy Hash: 3FC1F821B0C96E8FEB94F66C54952B877D2FF99320B64427AD00DC72D7DD28A807C365

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70410 Relevance: 4.1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

Strings

2Qd, xrefs: 00007FFC08B704D3
2Qd, xrefs: 00007FFC08B706AD
hbOd, xrefs: 00007FFC08B706FB

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: hbOd$2Qd$2Qd
API String ID: 0-2780502967
Opcode ID: 4ee2b213eb4e9644d6ee364fea38eba34c8fe23f7a7e1838389fe3388c2aa08e
Instruction ID: af623dc04f8b02a027915745d35087ee51eb865431e5e022d2d162b903466332
Opcode Fuzzy Hash: 4ee2b213eb4e9644d6ee364fea38eba34c8fe23f7a7e1838389fe3388c2aa08e
Instruction Fuzzy Hash: 60B1E721B0C96E8FEB98F66C48952B877D2FF99320B54427AD00DC72D7DD28A807C365

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B71709 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

(a_^, xrefs: 00007FFC08B719B1
H, xrefs: 00007FFC08B7191C

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: (a_^$H
API String ID: 0-2194426959
Opcode ID: 03fe36c351f54bee344193129f31bf42c6da61f435f542e9b8f7943f3c33b57b
Instruction ID: 406432cc87009a2f73164373b42bd9fae9496b61f217edc2f2db73f3898195d9
Opcode Fuzzy Hash: 03fe36c351f54bee344193129f31bf42c6da61f435f542e9b8f7943f3c33b57b
Instruction Fuzzy Hash: 80A1F565C0D3AE4FEB55EA688C660E93BA0EF52320F1451BAC489C71D3EE1C554BC379

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B72645 Relevance: 2.0, Strings: 1, Instructions: 724COMMON

Download Yara Rule

Strings

=X^H, xrefs: 00007FFC08B72AF2

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: =X^H
API String ID: 0-496318736
Opcode ID: b5eed7325e6b448155568df59838a60fc7638ee68002eacd306176bd085050cf
Instruction ID: d3399c4c3abff084b5daed5960b58cbf86aa4849165bcc2f0155cab0916fa6b1
Opcode Fuzzy Hash: b5eed7325e6b448155568df59838a60fc7638ee68002eacd306176bd085050cf
Instruction Fuzzy Hash: 5B224B52A0D6AA4FEB51E72CAC561E93B90EF82330B5440B7D48DCB0D7DD28994BC379

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B77151 Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bbec062c8bca4f50b9971fa1c81ab059e8f925d97b1a9173c7f50cba6158f2
Instruction ID: 68485694aed71252b3bea0884e1fdcf43f007ecd1c5d88e234be5bc4ee1440e3
Opcode Fuzzy Hash: d5bbec062c8bca4f50b9971fa1c81ab059e8f925d97b1a9173c7f50cba6158f2
Instruction Fuzzy Hash: 97912331A1DBD94FE756C7288C95161BFE0EF46320B1945FAC089C75E3CA29B847C366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B778F9 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1429a571935f749201d6fcd701c39e87ed55d03143618e6b05e66aec83d41179
Instruction ID: ce26acffcbb2fc0735446267590d85ad1016c011e82135090334b95e5d8b9f1b
Opcode Fuzzy Hash: 1429a571935f749201d6fcd701c39e87ed55d03143618e6b05e66aec83d41179
Instruction Fuzzy Hash: B4C1183160DA5A8FEB95EB288895AB53BD1EF55304F1440BED04DC72D3DE28AD02C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B72A94 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d68bc6039b0342bf26e928c4c177d93cdfdc6699c27eeb169fc4211da6957c
Instruction ID: f441402ed09627a07b03ca331930d892626edd6f318f015618a88a0f31d5d384
Opcode Fuzzy Hash: 22d68bc6039b0342bf26e928c4c177d93cdfdc6699c27eeb169fc4211da6957c
Instruction Fuzzy Hash: 5271A030A18A5E8FEF84EF2C88556AA77D1FF98314F44457AE40EC32D2DE34A906C765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B75E11 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99205f65e112f60946810fccf08f33d6603a92ef8e7c5b26872dd2e309ab08cd
Instruction ID: f2f11516a92030f52875a3f6b1f49475fa8f348c10da58106a3d9fc9b3899e5e
Opcode Fuzzy Hash: 99205f65e112f60946810fccf08f33d6603a92ef8e7c5b26872dd2e309ab08cd
Instruction Fuzzy Hash: CB71456190DB9E4FEBA6D7284C552B43BE0EF56210F5841FAC089CB1E3DD18A94BC365

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B72AA0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66962690620492acb7d82d1a7b118363109e0515d265748d875d38e818a4b4a9
Instruction ID: 77a915ef70f8bb52b342c6a4880f3e6517e9d2eec35830b8b3741525976125f7
Opcode Fuzzy Hash: 66962690620492acb7d82d1a7b118363109e0515d265748d875d38e818a4b4a9
Instruction Fuzzy Hash: 1A618E31A18A5E8FEF84EF2C88556AA77D1FF98314F40557AE40EC32D2DE34A906C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B70871 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255de7235a6a8a409ba3ecda8bd22e4b8d1220b58ff2f2d88f243b9c4884a861
Instruction ID: 2d879a1df35f29576da34da3ec77a3f2680e2c895e310d6d3cd7d7127f338fd6
Opcode Fuzzy Hash: 255de7235a6a8a409ba3ecda8bd22e4b8d1220b58ff2f2d88f243b9c4884a861
Instruction Fuzzy Hash: 6551F532A1CA2D4FEB58FA2C98865B5B3D1EF85314B44417AD44EC3293FD25A803C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B74550 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ac24cc8fc98aae07b737b3b2fe248bb2922bfc5122dd118f56af89659735f5
Instruction ID: 28bf3bf39666921c85b63b01a84a5e8fbd082a5a910530f8af694e09c620cb04
Opcode Fuzzy Hash: 05ac24cc8fc98aae07b737b3b2fe248bb2922bfc5122dd118f56af89659735f5
Instruction Fuzzy Hash: FE514961A0CF6E8BEB69A62888955B537D0EF5632171446BAD04EC35E3ED18FC43C36C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B717A7 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8821f9606344b6737ea66b9c8ccd778708eb0c1ab020d3846ab3caa56d889b8f
Instruction ID: 81e8ca187d0322ab34353bc2c39487f4eca46652d356f95683cba80d53ee2532
Opcode Fuzzy Hash: 8821f9606344b6737ea66b9c8ccd778708eb0c1ab020d3846ab3caa56d889b8f
Instruction Fuzzy Hash: 94510F35C0C66E8BEF58EA288C511A937E0FF58324F146239D44DD32C2EE2C664BC679

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B717D9 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672852ec21abd6a4094723da3ec54e295ee600e3b514d367294c9f886b98a1f9
Instruction ID: 3a319952ad7ea7510083e8f7cf4f6a98a4871ef9220b88f7d3ee2d61fd2725a6
Opcode Fuzzy Hash: 672852ec21abd6a4094723da3ec54e295ee600e3b514d367294c9f886b98a1f9
Instruction Fuzzy Hash: 4A41E031C0C76E4BEF58EA288C511A93BE0EF59321F545279C44DC72D2EA2CA54BC775

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B74248 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ec53547ff164c4def578d77f77c0c31f4b226f2af304e41c2b712b921cf74b
Instruction ID: eb222efecadcd8e6cac6c8772af0b3ec858662cb36799abe7e88deee84569ddd
Opcode Fuzzy Hash: 74ec53547ff164c4def578d77f77c0c31f4b226f2af304e41c2b712b921cf74b
Instruction Fuzzy Hash: 7331C661B18E1F4BEE98EA6D54516B663D1FF98301F90453ED00DC32C2ED29F842C758

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B75D40 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6175db39c747b6543149578897dc98c0828f42cf3824fcfcdd8741fbf85844
Instruction ID: e299a91fb5057db708cd3682582ef447aacef36b528e21ba2935cbbcbd3bab5b
Opcode Fuzzy Hash: 8a6175db39c747b6543149578897dc98c0828f42cf3824fcfcdd8741fbf85844
Instruction Fuzzy Hash: DF21D82491EB9A4FE72AA3344C595643FE0EF12314BA841FAC099CB0E3D91D6987C765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B75C38 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5735939fcc4d47cacc470219650703ff8399e5865c6d4eb64ce954a6d353aa2
Instruction ID: b95fe95920e48ef9a478f63510d4ace1f06358179d73f453b0e6b7ec6c00d550
Opcode Fuzzy Hash: b5735939fcc4d47cacc470219650703ff8399e5865c6d4eb64ce954a6d353aa2
Instruction Fuzzy Hash: 2E31BB20A0CB6E4FEF69EB298C902797791AF89300B4590B9D40DCB2C3DD18AD47C375

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B708C2 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e7b2cc90476f23eb89bea4480b76fa233154d4996b27040f7ca11c02dfeee6
Instruction ID: ebdcfe0ea1017830598604bfc3ee7177affdf4f196ef185313aa462b45b62d0e
Opcode Fuzzy Hash: d2e7b2cc90476f23eb89bea4480b76fa233154d4996b27040f7ca11c02dfeee6
Instruction Fuzzy Hash: 6A21F36290CA6E4FF644B6ACCC4A6F17790EF86320748427AD48AC71D7EC4A6847C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B7494D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f6b95139299cfeb4efd86290a990c4d875826bac295d2a563f16562712cf1e
Instruction ID: b16750c875ca27b3b92a25c7803879aba5eb1dc1f7d9ecde6814c503be99ebf1
Opcode Fuzzy Hash: 04f6b95139299cfeb4efd86290a990c4d875826bac295d2a563f16562712cf1e
Instruction Fuzzy Hash: 9A11596190CB5E4FEB90E72C88951E4BBE0FFAA314B8446BAC04DC71C7DD68A943C358

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B75446 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f126a7941b6a6f24a917bb5c7d95e49f06f181b813e782299362f2ce9f960f0
Instruction ID: 681c0e5ce8fe1541797f302eaabb88f616bf39386694b5d57839f1dbd1bd00ff
Opcode Fuzzy Hash: 2f126a7941b6a6f24a917bb5c7d95e49f06f181b813e782299362f2ce9f960f0
Instruction Fuzzy Hash: B411D020A0CA6E4FEBA4E72C8444B717BE1EF59301B0980E6D44DC72A6DD28ED82C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B7481A Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb82bed47cb7d094de4b20ea0a414474d92c44c2c156f8306641c019bc846d
Instruction ID: f1c2cf52c02bce66049e41278f865e82ad164887b25dc4dea98ca48754823e47
Opcode Fuzzy Hash: 4bdb82bed47cb7d094de4b20ea0a414474d92c44c2c156f8306641c019bc846d
Instruction Fuzzy Hash: 8B118F51B1CA2F4AEA99AB6D54511F5A3D1FFA8301FA0453AD00EC36C6EE28F846C358

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B741C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d97b11ea8e174c41a64dd70bdbbb327b4a24af498289638c3f109efeb8bf53
Instruction ID: 0c225fe398b7cf4bb59d7e9a809caf594409c66f92c00f166f37566f2dbab5a1
Opcode Fuzzy Hash: 14d97b11ea8e174c41a64dd70bdbbb327b4a24af498289638c3f109efeb8bf53
Instruction Fuzzy Hash: 05012692A0892E4BEF98DA1C58C51BA67E1FFD931170581B6D40CC72C7DD688E43D3AC

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B7202D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff5843e91b2d21b5f2e20478e23d0a2a3593c447a19450c1391d279c4aa151b
Instruction ID: 46ae25be756605de334e51a609c749aa354d8dd2ee3ad42dec69178e2f44e84a
Opcode Fuzzy Hash: 4ff5843e91b2d21b5f2e20478e23d0a2a3593c447a19450c1391d279c4aa151b
Instruction Fuzzy Hash: 7801C071908B9E8FCB44EF18D8911DA7BA1FF48320F4006AAE41CC72D2CB709916CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B74905 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e55f29e70edd2e393f23c42814496d5c395137e13abdf04efa6e4a5572d6bb
Instruction ID: 25d910309bc0866ab6ad9e3e2ce84bbc330ba0edd7c557cbfe93dc8f7600ec80
Opcode Fuzzy Hash: 18e55f29e70edd2e393f23c42814496d5c395137e13abdf04efa6e4a5572d6bb
Instruction Fuzzy Hash: E7012E7180E7EE4FEB429B648C641E97FA0EF8B211B0445FBD048CB1E3CA6C1906C765

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B756ED Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec043e1f7d0c61c3d5ad9f9b9497d7aa04a0d9de0456c944127e9af5a1fd8d84
Instruction ID: 6f53efa33a0f747801e4519d138f2e9e0c97448024de4f5a6e229e7493641158
Opcode Fuzzy Hash: ec043e1f7d0c61c3d5ad9f9b9497d7aa04a0d9de0456c944127e9af5a1fd8d84
Instruction Fuzzy Hash: CEF02821F5DB6E47DAA5627C7C511E93691DF84120B8411B7D808C62C6ED1DDD83C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B72395 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88053701f907a9076441c822e4f619befdd7a133a0be7e86ce2b4b0d53f3b8d
Instruction ID: 7a52cddb427fe7455a2229a707e552293649117863c878ef60be8833e0483ab5
Opcode Fuzzy Hash: e88053701f907a9076441c822e4f619befdd7a133a0be7e86ce2b4b0d53f3b8d
Instruction Fuzzy Hash: CCF0783144C7A84FE741A73888141617BF0EF87210B0A41FBD889CB1E7D82C6946C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B75BE8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af3c30d7b6022b3f9992c13e24cb28e56c25f3ad81fed9d69f16518bdfab668
Instruction ID: 42aa247564ea9212c955377fac4a7ccdbb1f4faa3502667350ed6ee47ba27523
Opcode Fuzzy Hash: 2af3c30d7b6022b3f9992c13e24cb28e56c25f3ad81fed9d69f16518bdfab668
Instruction Fuzzy Hash: 36F0C22081CB9E8EEF56AB584C563F57790EF66310F44A076E00DC24C2CD582699C366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B71150 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ab49830e0eadf95c6126543e47425f35470fe84d11a4d539a9b686afd69ab4
Instruction ID: 1fad2b2f0448b49b2870d1ca0d3037b8e4e27b79d26d7bfd12d8ff8d63fd26a2
Opcode Fuzzy Hash: 99ab49830e0eadf95c6126543e47425f35470fe84d11a4d539a9b686afd69ab4
Instruction Fuzzy Hash: 4FE0AB31508A2D8FFB80F538900817573E1EB88214F1005BBDC0DC62E8DC3C5883C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B710EB Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a34a90c64e8715ffbf581006d6bd555b5bc1cc0df3561599524dd0235721af1
Instruction ID: ce4b3bfb2876bac1e9de2e83aa2de85d72fb29bac09c29309bb05b03b7cab36c
Opcode Fuzzy Hash: 4a34a90c64e8715ffbf581006d6bd555b5bc1cc0df3561599524dd0235721af1
Instruction Fuzzy Hash: F9D05B11B5DA1D4BD744F67D78961F973C1EFD81217841A7BD40EC31C6DC5998458240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B778C2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29705b59820cf291ba3fd2c1171eb638a159d1f1533363718a2e36b574fcef04
Instruction ID: 458bee62fa87e82f44340215abdbc20374e1dcc05e29b235fa27973e1a2cc4cb
Opcode Fuzzy Hash: 29705b59820cf291ba3fd2c1171eb638a159d1f1533363718a2e36b574fcef04
Instruction Fuzzy Hash: 22E0460040E3D40EEB0B13344C2A2113FB0AF43204F4E90EBD085CA0E3D94D854AC326

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B742D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1652b74910914e43d29d32603500a00eb740e87425014b36353e2b7253126fe1
Instruction ID: 43c39e85f2c244e1feb906028326bb8c31597d7ba7e8b5ac2272a971268844e9
Opcode Fuzzy Hash: 1652b74910914e43d29d32603500a00eb740e87425014b36353e2b7253126fe1
Instruction Fuzzy Hash: 42D09531808A1E47ED40B53448C50B4B3E0FFC9215F804A35D44DD2083ED4C03874245

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC08B730B3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93298c67ecf5e24240be858efcacfc8830a590e6bf0c1b0034c46803b5fe7a18
Instruction ID: 7dcf90b3a9fa36c03c660e4e78d6685ba380f86ee257dd27d03cecf83cb0d43d
Opcode Fuzzy Hash: 93298c67ecf5e24240be858efcacfc8830a590e6bf0c1b0034c46803b5fe7a18
Instruction Fuzzy Hash: 48A00202EDA92E019944609D7C830D8B24CC785172BC57572EA08C428AAC8F1BD782A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFC08B71BC0 Relevance: 5.4, Strings: 4, Instructions: 418COMMON

Download Yara Rule

Strings

XO0g, xrefs: 00007FFC08B71EFD
%a_^, xrefs: 00007FFC08B71CB1
XO0g, xrefs: 00007FFC08B71DFF
XO0g, xrefs: 00007FFC08B71F7C

Memory Dump Source

Source File: 00000001.00000002.358102268.00007FFC08B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffc08b70000_e8k60omgBH.jbxd

Similarity

API ID:
String ID: %a_^$XO0g$XO0g$XO0g
API String ID: 0-3233574621
Opcode ID: 309c2ab4243aaad0c980b84853d607705dce8fc1badfcc93279832dbc0e19f93
Instruction ID: d927b142ca95443929548eb95ac62a20ddc363b4ac633d9d709fc67141a43950
Opcode Fuzzy Hash: 309c2ab4243aaad0c980b84853d607705dce8fc1badfcc93279832dbc0e19f93
Instruction Fuzzy Hash: 13C1F863A1CA6A4BEE54E65CAC865F473D1EF89320B148076C04CCB1D3DE18694BC3BA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report e8k60omgBH

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_e8k60omgBH.exe_d33dd7c6dac0c4cca61d80baa15e5972586dbdb_2fe487e9_1490243b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1362.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER197E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AA7.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
e8k60omgBH