Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1500631
MD5:	171eeb8ca5c439e8af9e180a5f6a09f8
SHA1:	0cd33a5c35f8c5ad98c5eab9b11946b1ff146bb3
SHA256:	26de39355a5ffb112e494503f44bd63c8e2bc7dba35d58fedaaea1c84f868748
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1212 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 171EEB8CA5C439E8AF9E180A5F6A09F8)

WerFault.exe (PID: 2732 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 876 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 13%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2538218295.000000000199C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER300C.tmp.dmp.4.dr
Source:	Binary string: attachment_dddLAB.pdb source: file.exe, WER300C.tmp.dmp.4.dr
Source:	Binary string: b77a5c561934e089ib.pdb source: file.exe, 00000000.00000002.2538218295.00000000019B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER300C.tmp.dmp.4.dr
Source:	Binary string: mDC:\Windows\attachment_dddLAB.pdb source: file.exe, 00000000.00000002.2537906085.00000000016F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER300C.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\exe\attachment_dddLAB.pdb. source: file.exe, 00000000.00000002.2538218295.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\attachment_dddLAB.pdbioISE source: file.exe, 00000000.00000002.2538218295.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER300C.tmp.dmp.4.dr

Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_035892B0		0_2_035892B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03589520		0_2_03589520

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 876

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2538218295.000000000197E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1212

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\028b5c0f-2a54-4c31-8e31-68b308d7c494

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.87%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 876

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 4643392 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3e8600

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2538218295.000000000199C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER300C.tmp.dmp.4.dr
Source:	Binary string: attachment_dddLAB.pdb source: file.exe, WER300C.tmp.dmp.4.dr
Source:	Binary string: b77a5c561934e089ib.pdb source: file.exe, 00000000.00000002.2538218295.00000000019B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER300C.tmp.dmp.4.dr
Source:	Binary string: mDC:\Windows\attachment_dddLAB.pdb source: file.exe, 00000000.00000002.2537906085.00000000016F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER300C.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\exe\attachment_dddLAB.pdb. source: file.exe, 00000000.00000002.2538218295.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\attachment_dddLAB.pdbioISE source: file.exe, 00000000.00000002.2538218295.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER300C.tmp.dmp.4.dr

Source: file.exe

Static PE information: 0x80A2A9F9 [Sat May 22 12:26:33 2038 UTC]

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0358354D push esp; retf 0002h		0_2_0358354E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03586E16 push ds; ret		0_2_03586E1D

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 37F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1CF0000 memory reserve \| memory write watch	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://aka.ms/dotnet-warnings/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	file.exe	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	file.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	file.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-warnings/	file.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	file.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	file.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	file.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500631
Start date and time:	2024-08-28 18:56:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal52.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 91% Number of executed functions: 11 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 1212 because it is empty
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f474d7ace939a34cc5b3cdfa86976697e4a181ee_ce8703b6_e31620dd-330d-450a-b53a-41b59fb426cf\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8607905807155944
Encrypted:	false
SSDEEP:	192:G9eGpF7viSyZs0BU/b0xaGgzuiFMZ24IO8HhB:zQ/iBU/aaBzuiFMY4IO8X
MD5:	A6904115820570E71CFE6CB89333F2D9
SHA1:	E5BEB36717443DABC9BAD20A6EE381026228BD47
SHA-256:	ED7FD768DEE0D365B4E03D893DFB42C16DC0E59C82CA52EFD72A7B62E8F6EDBC
SHA-512:	6E6B1AE8DFEAED5D0010D24314D45EB4BD54BA6E1DC56987BFE7E45A360469D4C7309BC8DAECA741E27A0F98CCD6557D90D780964B36180B41190B1CAFB1599A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.3.7.8.5.3.5.9.8.1.5.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.3.7.8.5.4.1.6.0.6.6.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.1.6.2.0.d.d.-.3.3.0.d.-.4.5.0.a.-.b.5.3.a.-.4.1.b.5.9.f.b.4.2.6.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.b.8.5.b.a.b.-.f.b.c.b.-.4.e.2.9.-.a.7.0.3.-.0.2.6.1.5.f.6.1.6.8.f.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.b.c.-.0.0.0.1.-.0.0.1.5.-.9.e.d.f.-.e.e.5.f.6.b.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.0.c.d.3.3.a.5.c.3.5.f.8.c.5.a.d.9.8.c.5.e.a.b.9.b.1.1.9.4.6.b.1.f.f.1.4.6.b.b.3.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.8././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER300C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Aug 28 16:57:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	204085
Entropy (8bit):	4.316557111474212
Encrypted:	false
SSDEEP:	3072:doeUU4Wku4uEqHz/fHLTgfUAYAgvOcwUZAdZUFj:dNUY42bzTgsAt
MD5:	172CBE5A8F2450839DC069D49BFCAD37
SHA1:	FFA49AE5FE5635AF03B51D380C1D0C37968500FD
SHA-256:	386DFA888E1A5C32066BA23A7AD42FC7026738CE0E3EAE786959C1B69D135AB6
SHA-512:	87D3CC68B970DC4EDED98FA6D17EB414FD28098BA2134FFE83F634CD8B1D7939A6BE1171E04C4D2849BF7D583B9C0759BD1EF226A82A39FDC20CE3EF97E6353A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........V.f........................\...........$............$...7..........`.......8...........T............"..u.......................................................................................................eJ..............GenuineIntel............T............V.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3126.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8378
Entropy (8bit):	3.6921454463737695
Encrypted:	false
SSDEEP:	192:R6l7wVeJICp6xL6Y2D6SUF3TFgGgmfZDc03prp89bxKsfaG7m:R6lXJR6xL6YXSUNTTgmf3Mxpfu
MD5:	70C84255F3EF377A3FEDE7CE8A89C930
SHA1:	B1450E8F5EFF05BF0DB023EA34BE26940A406C16
SHA-256:	7F1D8FEC8F47B1B4A93D798F76864D63294DE9D34387C612B68091EFD283D446
SHA-512:	704F062CB8C394F22D06F5284C55B616C285D2E4BBF2FD7E358B2B9C17E6A020C9AFE4AE66D568F8A43BFE652B521A9D3A4E55624B0C39F7AD7BD76087B99F24
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3146.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4679
Entropy (8bit):	4.45806655232794
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBuJg77aI9SVWpW8VYzYm8M4Jl9B2Fo+q8vp9B8jDsd:uIjfqI78k7VDJtKKjDsd
MD5:	62CADB92CA84E653A1B31AB6E72B94A3
SHA1:	7EAA5195DE2BADF6D8E3F28A025CC9AEF96C4A80
SHA-256:	A20060D7E5341E5CF1165C57D4318BB587619F8B3A26B37F1109D6493042E163
SHA-512:	97DCABCF11DD604E24DEFDDEAC2B1AD2E7B662A0664EEFF9A188E1DD4FF983E2026F5F463FB1116BE5E559B1A5E9CA1CC5126289019338B7F8FA5096D580CF76
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475680" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468542828746928
Encrypted:	false
SSDEEP:	6144:lzZfpi6ceLPx9skLmb0frZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:dZHtrZWOKnMM6bFp9j4
MD5:	1956AE6B97FD9298C7AD75EC2D49CD00
SHA1:	5C009AD3263B2478F95E28285471CA4817FDCB3E
SHA-256:	C68F9F80722C537D113F0B890742FA6AF0A130BB439BE8AED94031AB6C8FA537
SHA-512:	1857ABA9E6FD65E4CE9E5E3B6A011795F9E3C15B68218E89F06AA47EFA07744E68B06BDA1218966B9E0104BD6171C3FE80B76F84794B02F1F013467856BB7E47
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.zT`k...............................................................................................................................................................................................................................................................................................................................................7.CT........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.466268556988696
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.87% Win32 Executable (generic) a (10002005/4) 49.82% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	file.exe
File size:	4'643'392 bytes
MD5:	171eeb8ca5c439e8af9e180a5f6a09f8
SHA1:	0cd33a5c35f8c5ad98c5eab9b11946b1ff146bb3
SHA256:	26de39355a5ffb112e494503f44bd63c8e2bc7dba35d58fedaaea1c84f868748
SHA512:	82180324dac7a7c0020d7afa70a827489cafb01c98ee947d93957673e6ef72775cfd6658d06412196c12401293675712fcfb80a632cce0e6dd381295902dc8da
SSDEEP:	98304:q1H0pPbGUO4gORpEYYAA9Yd9Bw0/N+2IDSu839hqt4XIr:qqz/O4gOQYTAww0/N+fSzNg
TLSH:	0926BE0A3C50CE22F1194237C99D944857629B612BF2F37B3D76721E65223E7788F98E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................>...........>.. ....>...@.. ........................F......-G...@................................

File Icon


Icon Hash:	06766e4f1e396137

Static PE Info

General

Entrypoint:	0x7ea52e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x80A2A9F9 [Sat May 22 12:26:33 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	27/08/2024 19:25:18 28/08/2034 19:25:18
Subject Chain	CN=(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)(^^^^^^^^^^^^)(%%%%%%%%%%%%%)(@@@@@@@@@@@@@@@@@)(//////////////////////////////)(\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\)
Version:	3
Thumbprint MD5:	0D68771C6FA94F678A4488FBB89CD51E
Thumbprint SHA-1:	85A510C47B995445B42A12CB7A3DCD017632D157
Thumbprint SHA-256:	DA706B518FD2611CE17A28ABAD04CBA0A7F36539D7B3A540A7ABA19DCA508EF6
Serial:	4957F7932C80D7914AB1FDB12E11EE37

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ea4e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ee000	0x7bc6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x464c00	0x8e40
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3ea493	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3e8534	0x3e8600	d37c212a32e4bbe864c9c86c596d52d9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x3ec000	0x1f0	0x200	e4a1a50b89c9e1c0b11a24eec6dadb85	False	0.876953125	data	6.662579920667493	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3ee000	0x7bc6c	0x7be00	6cb8d1b5d7de7dd71da4b621b450acc2	False	0.45092945887991925	data	6.504664736026332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x46a000	0xc	0x200	ec6fbcdff192e4df16fd3dec833e99c6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x3ef1f4	0x2	data	Japanese	Japan	5.0
AFX_DIALOG_LAYOUT	0x3ef1f8	0x2	data	Japanese	Japan	5.0
AVI	0x3ef1fc	0xac00	RIFF (little-endian) data, AVI, 95 x 57, video: uncompressed RLE 8bpp	Japanese	Japan	0.3108421148255814
RT_CURSOR	0x3f9dfc	0x134	data	Japanese	Japan	0.33116883116883117
RT_CURSOR	0x3f9f30	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.4805194805194805
RT_CURSOR	0x3fa064	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Japanese	Japan	0.7
RT_CURSOR	0x3fa118	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.37662337662337664
RT_CURSOR	0x3fa24c	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Japanese	Japan	0.36363636363636365
RT_CURSOR	0x3fa380	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.36688311688311687
RT_CURSOR	0x3fa4b4	0x134	data	Japanese	Japan	0.37662337662337664
RT_CURSOR	0x3fa5e8	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Japanese	Japan	0.5422077922077922
RT_CURSOR	0x3fa71c	0x134	data	Japanese	Japan	0.37337662337662336
RT_CURSOR	0x3fa850	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.38636363636363635
RT_CURSOR	0x3fa984	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.35714285714285715
RT_CURSOR	0x3faab8	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Japanese	Japan	0.36688311688311687
RT_CURSOR	0x3fabec	0x134	data	Japanese	Japan	0.44155844155844154
RT_CURSOR	0x3fad20	0x134	data	Japanese	Japan	0.4155844155844156
RT_CURSOR	0x3fae54	0x134	data	Japanese	Japan	0.2662337662337662
RT_CURSOR	0x3faf88	0x134	data	Japanese	Japan	0.2824675324675325
RT_CURSOR	0x3fb0bc	0x134	data	Japanese	Japan	0.3246753246753247
RT_BITMAP	0x3fb1f0	0x5888	Device independent bitmap graphic, 600 x 36 x 8, image size 21600	Japanese	Japan	0.06441934345217085
RT_BITMAP	0x400a78	0xfd48	Device independent bitmap graphic, 600 x 36 x 24, image size 64800	Japanese	Japan	0.015021591610117211
RT_BITMAP	0x4107c0	0x2e58	Device independent bitmap graphic, 120 x 90 x 8, image size 10800, resolution 3780 x 3780 px/m	Japanese	Japan	0.3295684423465947
RT_BITMAP	0x413618	0x4b08	Device independent bitmap graphic, 168 x 108 x 8, image size 18144, resolution 3780 x 3780 px/m	Japanese	Japan	0.29607455226988755
RT_BITMAP	0x418120	0xdf8	Device independent bitmap graphic, 34 x 34 x 24, image size 3536	Japanese	Japan	0.433165548098434
RT_BITMAP	0x418f18	0xdf8	Device independent bitmap graphic, 34 x 34 x 24, image size 3536	Japanese	Japan	0.6031879194630873
RT_BITMAP	0x419d10	0x4a8	Device independent bitmap graphic, 15 x 24 x 24, image size 1152	Japanese	Japan	0.15016778523489932
RT_BITMAP	0x41a1b8	0x4a8	Device independent bitmap graphic, 15 x 24 x 24, image size 1152	Japanese	Japan	0.125
RT_BITMAP	0x41a660	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Japanese	Japan	0.44565217391304346
RT_BITMAP	0x41a718	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Japanese	Japan	0.37962962962962965
RT_ICON	0x41a85c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	German	Switzerland	0.46646341463414637
RT_ICON	0x41b904	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m	German	Switzerland	0.3727562588568729
RT_ICON	0x41fb2c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	German	Switzerland	0.3129066603572696
RT_ICON	0x430354	0x104fa	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	German	Switzerland	0.9921119592875318
RT_ICON	0x440850	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	Japanese	Japan	0.46646341463414637
RT_ICON	0x4418f8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m	Japanese	Japan	0.3727562588568729
RT_ICON	0x445b20	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Japanese	Japan	0.3129066603572696
RT_ICON	0x456348	0x104fa	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Japanese	Japan	0.9921119592875318
RT_DIALOG	0x466844	0x5e	data	Japanese	Japan	0.8617021276595744
RT_DIALOG	0x4668a4	0x40	data	Japanese	Japan	0.78125
RT_DIALOG	0x4668e4	0x100	data	Japanese	Japan	0.61328125
RT_DIALOG	0x4669e4	0xd8	data	Japanese	Japan	0.6620370370370371
RT_DIALOG	0x466abc	0xd8	data	Japanese	Japan	0.6481481481481481
RT_DIALOG	0x466b94	0x1a4	data	Japanese	Japan	0.5119047619047619
RT_DIALOG	0x466d38	0xe4	data	Japanese	Japan	0.6008771929824561
RT_DIALOG	0x466e1c	0x140	data	Japanese	Japan	0.575
RT_DIALOG	0x466f5c	0x26c	data	Japanese	Japan	0.49838709677419357
RT_DIALOG	0x4671c8	0xe8	data	Japanese	Japan	0.6594827586206896
RT_DIALOG	0x4672b0	0x124	data	Japanese	Japan	0.5308219178082192
RT_DIALOG	0x4673d4	0x26c	data	Japanese	Japan	0.4129032258064516
RT_DIALOG	0x467640	0x2ec	data	Japanese	Japan	0.30080213903743314
RT_DIALOG	0x46792c	0x4c	data	Japanese	Japan	0.8947368421052632
RT_DIALOG	0x467978	0x40	data	Japanese	Japan	0.8125
RT_DIALOG	0x4679b8	0x114	data	Japanese	Japan	0.5905797101449275
RT_DIALOG	0x467acc	0xe0	data	Japanese	Japan	0.6473214285714286
RT_DIALOG	0x467bac	0xe8	data	Japanese	Japan	0.6336206896551724
RT_DIALOG	0x467c94	0x34	data	Japanese	Japan	0.9038461538461539
RT_STRING	0x467cc8	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	Japanese	Japan	0.7153846153846154
RT_STRING	0x467d4c	0x2a	data	Japanese	Japan	0.5476190476190477
RT_STRING	0x467d78	0x184	data	Japanese	Japan	0.48711340206185566
RT_STRING	0x467efc	0x4ee	data	Japanese	Japan	0.375594294770206
RT_STRING	0x4683ec	0x264	data	Japanese	Japan	0.3333333333333333
RT_STRING	0x468650	0x2da	data	Japanese	Japan	0.3698630136986301
RT_STRING	0x46892c	0x8a	data	Japanese	Japan	0.6594202898550725
RT_STRING	0x4689b8	0xac	data	Japanese	Japan	0.45348837209302323
RT_STRING	0x468a64	0xde	data	Japanese	Japan	0.536036036036036
RT_STRING	0x468b44	0x4a8	data	Japanese	Japan	0.3221476510067114
RT_STRING	0x468fec	0x228	data	Japanese	Japan	0.4003623188405797
RT_STRING	0x469214	0x2c	data	Japanese	Japan	0.5227272727272727
RT_STRING	0x469240	0x53e	data	Japanese	Japan	0.2965722801788376
RT_GROUP_CURSOR	0x469780	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.25
RT_GROUP_CURSOR	0x469794	0x22	Lotus unknown worksheet or configuration, revision 0x2	Japanese	Japan	1.0
RT_GROUP_CURSOR	0x4697b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x4697cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x4697e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x4697f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x469808	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x46981c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x469830	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x469844	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x469858	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x46986c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x469880	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x469894	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x4698a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_CURSOR	0x4698bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan	1.3
RT_GROUP_ICON	0x4698d0	0x3e	data	German	Switzerland	0.8064516129032258
RT_GROUP_ICON	0x469910	0x3e	data	Japanese	Japan	0.8709677419354839
RT_MANIFEST	0x469950	0x31c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (736), with CRLF line terminators	English	United States	0.5238693467336684

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
German	Switzerland
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 1212, Parent PID: 4004

General

Target ID:	0
Start time:	12:57:32
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf00000
File size:	4'643'392 bytes
MD5 hash:	171EEB8CA5C439E8AF9E180A5F6A09F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2732, Parent PID: 1212

General

Target ID:	4
Start time:	12:57:33
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 876
Imagebase:	0x1f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 1212, Parent PID: 4004COMMON

Executed Functions

Function 03583772 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

4, xrefs: 03583772

Memory Dump Source

Source File: 00000000.00000002.2538538905.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3580000_file.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 24fb42a199bc439ebe260d8941e957b6c6cff51843437abd163efc0da8120beb
Instruction ID: f3079b7163044fcde66334dab963c0d391cb3d2ea5d1462e2bc7b6ef3645b6f2
Opcode Fuzzy Hash: 24fb42a199bc439ebe260d8941e957b6c6cff51843437abd163efc0da8120beb
Instruction Fuzzy Hash: 7E51B678D002A8CFDB64EF24D998AD9BBB1EB49340F1040EAD94DA3394DBB45EC59F11

Function 037736BB Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc753ec39f904717db6d26ea3e3c44e1fe3a0fcc81a44c33b3b08c952840dc8a
Instruction ID: 650eb2cafb29a4bd56d8a09b512e58dbafd6689fbdf36394d03f5eef55ed8212
Opcode Fuzzy Hash: cc753ec39f904717db6d26ea3e3c44e1fe3a0fcc81a44c33b3b08c952840dc8a
Instruction Fuzzy Hash: FA51B274D00219CFDF64EFA4D858AADBBB1FF48300F20816AD519A7265EB349985DF90

Function 03773A51 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d2cf1891008091dbe925d8a8451ef07df9f8db266b20244dbd6b2ac92ff10d
Instruction ID: 94f0d721fa7d253765efecdff15ef3aac9d4e79cb6092489c64180b156778d69
Opcode Fuzzy Hash: 38d2cf1891008091dbe925d8a8451ef07df9f8db266b20244dbd6b2ac92ff10d
Instruction Fuzzy Hash: 4151E178D00209CFEF14DFA9D888AEEBBF5FB48300F148429E415A7260EB749945EF95

Function 03773939 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456399bf416eff47c8dfe721769f3f2e014c5e1f8295788d71fd4988a1657dca
Instruction ID: 66b4f31ff5101a8230f2a8e3b9b48284061433477dbea77117b2a5eb5397c36e
Opcode Fuzzy Hash: 456399bf416eff47c8dfe721769f3f2e014c5e1f8295788d71fd4988a1657dca
Instruction Fuzzy Hash: 6C211475D04209DFEF44DFA9D845AEEBBF1EF88304F048469D815A32A4EB346A06DF91

Function 03587291 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538538905.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629cef6556564b9f4f00d6dc302a82f13a2dccbdd4eb2fb13df2b1a5c66b2aa5
Instruction ID: a0581edeafb7e027c56efa05ddbd11d5c991d8b2181c6bebe5a473a556b47a07
Opcode Fuzzy Hash: 629cef6556564b9f4f00d6dc302a82f13a2dccbdd4eb2fb13df2b1a5c66b2aa5
Instruction Fuzzy Hash: 4F010478D052A9CBEB20EF29D944BCDB6B2FB04700F0140EAA418F3291D7385A858F10

Function 037738D9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6e77ae0a9a3bfa9bd6d13781bd63b20614b1bd27fa9b45788628c5c1356f93
Instruction ID: b19699891ed6638fd73a1e8999f46b17a6a66c361c12a3af62e2f49e38474b61
Opcode Fuzzy Hash: 6a6e77ae0a9a3bfa9bd6d13781bd63b20614b1bd27fa9b45788628c5c1356f93
Instruction Fuzzy Hash: 76F06D359592498FDB50DFB8E8896A9BFF0EB0A215F1445EAC808D3211E7329545EB40

Function 03773A00 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9370831aeb0934bd613a23de74c381b288bea89a724e913a827452503f518586
Instruction ID: 2771730619a9d0869adfb934f54b51d0ab6fa4bd086f70278811063c63bd01bf
Opcode Fuzzy Hash: 9370831aeb0934bd613a23de74c381b288bea89a724e913a827452503f518586
Instruction Fuzzy Hash: B9F03074D05249DFEB50DBB8D58975DBAF4EF04305F1585A5A808D3210F7308A40AA80

Function 037739F1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9a495ff099327a18e90deb898361ba72ea7bb201b8862de6174f77b69661aa
Instruction ID: 2d84335f69b6f3dc7df726e52fe04f5a388246e41ccd6a642d86e42a09c0b1b6
Opcode Fuzzy Hash: bc9a495ff099327a18e90deb898361ba72ea7bb201b8862de6174f77b69661aa
Instruction Fuzzy Hash: 8AF09B71D552498FDB50DFB4D8896AC7FF0EB05210F0509E6E804D3211E6319544E741

Function 037738E8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f1617559c5828fd1301b4ae72d998a30b7e397184a6073b7ee7505066d292b
Instruction ID: 0f495d75fd1e68a3d5b52ebe4fd2a7d54d3b3725ee4781ad9f7721fdb04e8090
Opcode Fuzzy Hash: f9f1617559c5828fd1301b4ae72d998a30b7e397184a6073b7ee7505066d292b
Instruction Fuzzy Hash: 97F0C974D05209DFEB50EFB9D5487AEFAF4AF08209F1484A59808E3210E7308A45AA91

Function 03583C2B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538538905.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed0149d296f4f5eb7d0b31d725687d676977de556775398a46d390feb58335f
Instruction ID: 487161c22fe01e461ceff2ff5e359f751e3815a1298244de0b9daef01a31558d
Opcode Fuzzy Hash: 2ed0149d296f4f5eb7d0b31d725687d676977de556775398a46d390feb58335f
Instruction Fuzzy Hash: FAF07479C4426ACFCBA0EF54D984AE8B7B1BF08751F4114E6D829A3260D7745E859F10

Function 0377108E Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a828a3b484c9e50e3f46ff0f2df42f2512bec656fe018a9961a4924c06307bbd
Instruction ID: ba972873f74b7e8dbebadb4c6ced2731c76168334721da0fd516f4eb9ca5e6ff
Opcode Fuzzy Hash: a828a3b484c9e50e3f46ff0f2df42f2512bec656fe018a9961a4924c06307bbd
Instruction Fuzzy Hash: 79C04C3090810ACBDF509E98D09966DBB71E716341F514C51D115A616AD73895849B85

Non-executed Functions

Function 035892B0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538538905.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e328637efa61dea18f834524e72b63cc1974450771af2ad165117bb147794e
Instruction ID: 0cbd16463e23cffa1653442c3f84b25f666a37b477a2239743a3f4d4160e7338
Opcode Fuzzy Hash: 93e328637efa61dea18f834524e72b63cc1974450771af2ad165117bb147794e
Instruction Fuzzy Hash: 22511970A0420ACFDB59DFBAE85479EBBF2FF88300F04C529D055EB268EB7959058B50

Function 03589520 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2538538905.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ac77b6cfabab79895d850aac937142e9daaacb9a46a880182aeb9381b8d961
Instruction ID: d930118f4179e23cb57524ae00ddc1a3e31614efee920c156124b7bd7d1ebc20
Opcode Fuzzy Hash: 49ac77b6cfabab79895d850aac937142e9daaacb9a46a880182aeb9381b8d961
Instruction Fuzzy Hash: 9051A271E056148BEB69CF6B8D4078AFAF7BFC4204F18C1B9D40CA7264DB704A858F51

Function 035829BF Relevance: 5.0, Strings: 4, Instructions: 42COMMON

Download Yara Rule

Strings

l, xrefs: 035829C9
`, xrefs: 03582A36
H, xrefs: 03582A13
+, xrefs: 03582A09

Memory Dump Source

Source File: 00000000.00000002.2538538905.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3580000_file.jbxd

Similarity

API ID:
String ID: +$H$`$l
API String ID: 0-1979963692
Opcode ID: e9aefc970bcc34462dd4a3d353e7a8ab597dd5ad21dec07b06b618b0f9c9d362
Instruction ID: 80f398dd122f4962f3ba9c911fbfd30cbbe23ea7172c3e9c669cb2358026abfb
Opcode Fuzzy Hash: e9aefc970bcc34462dd4a3d353e7a8ab597dd5ad21dec07b06b618b0f9c9d362
Instruction Fuzzy Hash: 9E01DAB5D4A369CBEB60DF65DD407E9F7B1BB42704F0164E9C108B3241D7399A858F18

Function 0377010A Relevance: 5.0, Strings: 4, Instructions: 41COMMON

Download Yara Rule

Strings

5, xrefs: 03770156
/, xrefs: 037701E1
s, xrefs: 03770183
{, xrefs: 0377011A

Memory Dump Source

Source File: 00000000.00000002.2538757475.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3770000_file.jbxd

Similarity

API ID:
String ID: /$5$s${
API String ID: 0-515719599
Opcode ID: a43bbd3bd2e09e5866d07f59aa3c882ec222a4ffe59a0ca22aa3b91d6e11abe2
Instruction ID: 4b16b3fadc74d687b660c75d6c9250dad788e78ce1b4d202ae077aed63c4cf10
Opcode Fuzzy Hash: a43bbd3bd2e09e5866d07f59aa3c882ec222a4ffe59a0ca22aa3b91d6e11abe2
Instruction Fuzzy Hash: 5121D374D05219CFDB61CF98C598BADBBF4BB08304F1644E5E928A7366D7349A84CF50

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f474d7ace939a34cc5b3cdfa86976697e4a181ee_ce8703b6_e31620dd-330d-450a-b53a-41b59fb426cf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER300C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3126.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3146.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: file.exePID: 1212, Parent PID: 4004

Windows Analysis Report
file.exe