Windows Analysis Report
Copy60330548196.exe

Overview

General Information

Sample name:	Copy60330548196.exe
Analysis ID:	1526377
MD5:	f6059b7e84de5f51eb7c2be5874c895e
SHA1:	b9da6c67e47cb2b21125a1d0b9ba469b3b5ecacd
SHA256:	59e7fb46b2712f447bd8e6da840d2000f9f7af01c843a111c851745ec8f6a04d
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Copy60330548196.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://98.142.254.109/ii/Meqvrjzz.wav	Virustotal: Detection: 13%			Perma Link
Source: http://98.142.254.109	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for submitted file

Source: Copy60330548196.exe	Virustotal: Detection: 70%			Perma Link
Source: Copy60330548196.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Machine Learning detection for sample

Source: Copy60330548196.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Copy60330548196.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Copy60330548196.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 98.142.254.109 98.142.254.109

Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109

Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive

Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109
Source: Copy60330548196.exe	String found in binary or memory: http://98.142.254.109/ii/Meqvrjzz.wav
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B96000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109/ii/Meqvrjzz.wavP
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109/ii/Meqvrjzz.wavt
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B96000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109D
Source: Copy60330548196.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Copy60330548196.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Copy60330548196.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Copy60330548196.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Copy60330548196.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Copy60330548196.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Copy60330548196.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Copy60330548196.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Copy60330548196.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Copy60330548196.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: Copy60330548196.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Copy60330548196.exe	String found in binary or memory: http://s.symcd.com06
Source: Copy60330548196.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Copy60330548196.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Copy60330548196.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Copy60330548196.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Copy60330548196.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Copy60330548196.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Copy60330548196.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Copy60330548196.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Copy60330548196.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Copy60330548196.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Copy60330548196.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Copy60330548196.exe	String found in binary or memory: https://www.digicert.com/CPS0

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Copy60330548196.exe

Process Stats: CPU usage > 49%

PE / OLE file has an invalid certificate

Source: Copy60330548196.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: Copy60330548196.exe, 00000000.00000002.3910279380.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Copy60330548196.exe

Uses 32bit PE files

Source: Copy60330548196.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\Copy60330548196.exe

Mutant created: NULL

Source: Copy60330548196.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Copy60330548196.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Copy60330548196.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Copy60330548196.exe	Virustotal: Detection: 70%
Source: Copy60330548196.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Copy60330548196.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Copy60330548196.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Copy60330548196.exe, UtilsInterceptorStub.cs

.Net Code: ComputeAuthentication System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Copy60330548196.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Copy60330548196.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Copy60330548196.exe	Window / User API: threadDelayed 1597			Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Window / User API: threadDelayed 8242			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 3656	Thread sleep count: 1597 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 3656	Thread sleep count: 8242 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98685s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98275s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98051s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99530	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98685	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98577	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98275	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98171	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98051	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97827	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97499	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97171	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96952	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96843	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96624	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96405	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96296	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96187	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96077	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95968	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95859	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95749	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95640	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95531	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95421	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95092	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94984	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94874	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94765	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94656	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94547	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94437	Jump to behavior

Source: Copy60330548196.exe, 00000000.00000002.3910279380.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.

Enables debug privileges

Source: C:\Users\user\Desktop\Copy60330548196.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Copy60330548196.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Copy60330548196.exe

Queries volume information: C:\Users\user\Desktop\Copy60330548196.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Copy60330548196.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
98.142.254.109	unknown	Canada		30407	VELCOMCA	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://98.142.254.109/ii/Meqvrjzz.wav	false	14%, Virustotal, Browse	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Copy60330548196.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://98.142.254.109/ii/Meqvrjzz.wav	Virustotal: Detection: 13%			Perma Link
Source: http://98.142.254.109	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for submitted file

Source: Copy60330548196.exe	Virustotal: Detection: 70%			Perma Link
Source: Copy60330548196.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Machine Learning detection for sample

Source: Copy60330548196.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Copy60330548196.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Copy60330548196.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 98.142.254.109 98.142.254.109

Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109
Source: unknown	TCP traffic detected without corresponding DNS query: 98.142.254.109

Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ii/Meqvrjzz.wav HTTP/1.1Host: 98.142.254.109Connection: Keep-Alive

Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109
Source: Copy60330548196.exe	String found in binary or memory: http://98.142.254.109/ii/Meqvrjzz.wav
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B96000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109/ii/Meqvrjzz.wavP
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109/ii/Meqvrjzz.wavt
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B8E000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B96000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://98.142.254.109D
Source: Copy60330548196.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Copy60330548196.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Copy60330548196.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Copy60330548196.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Copy60330548196.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Copy60330548196.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Copy60330548196.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Copy60330548196.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Copy60330548196.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Copy60330548196.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: Copy60330548196.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Copy60330548196.exe	String found in binary or memory: http://s.symcd.com06
Source: Copy60330548196.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Copy60330548196.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Copy60330548196.exe, 00000000.00000002.3911013213.0000000002B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Copy60330548196.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Copy60330548196.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Copy60330548196.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Copy60330548196.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Copy60330548196.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Copy60330548196.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Copy60330548196.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Copy60330548196.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Copy60330548196.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Copy60330548196.exe	String found in binary or memory: https://www.digicert.com/CPS0

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Copy60330548196.exe

Process Stats: CPU usage > 49%

PE / OLE file has an invalid certificate

Source: Copy60330548196.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: Copy60330548196.exe, 00000000.00000002.3910279380.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Copy60330548196.exe

Uses 32bit PE files

Source: Copy60330548196.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\Copy60330548196.exe

Mutant created: NULL

Source: Copy60330548196.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Copy60330548196.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Copy60330548196.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Copy60330548196.exe	Virustotal: Detection: 70%
Source: Copy60330548196.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Copy60330548196.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Copy60330548196.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Copy60330548196.exe, UtilsInterceptorStub.cs

.Net Code: ComputeAuthentication System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Copy60330548196.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Copy60330548196.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Copy60330548196.exe	Window / User API: threadDelayed 1597			Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Window / User API: threadDelayed 8242			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 3656	Thread sleep count: 1597 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 3656	Thread sleep count: 8242 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98685s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98275s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -98051s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -96077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -95092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe TID: 5772	Thread sleep time: -94437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99530	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98685	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98577	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98275	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98171	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 98051	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97827	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97499	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97171	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96952	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96843	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96624	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96405	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96296	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96187	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 96077	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95968	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95859	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95749	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95640	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95531	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95421	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 95092	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94984	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94874	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94765	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94656	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94547	Jump to behavior
Source: C:\Users\user\Desktop\Copy60330548196.exe	Thread delayed: delay time: 94437	Jump to behavior

Source: Copy60330548196.exe, 00000000.00000002.3910279380.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.

Enables debug privileges

Source: C:\Users\user\Desktop\Copy60330548196.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Copy60330548196.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Copy60330548196.exe

Queries volume information: C:\Users\user\Desktop\Copy60330548196.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Copy60330548196.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1526377
Product:	CloudBasic
Start time:	14:36:09
Start date:	05.10.2024
Sample:	Copy60330548196.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f6059b7e84de5f51eb7c2be5874c895e
SHA1:	b9da6c67e47cb2b21125a1d0b9ba469b3b5ecacd
SHA256:	59e7fb46b2712f447bd8e6da840d2000f9f7af01c843a111c851745ec8f6a04d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Windows Analysis Report
Copy60330548196.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report Copy60330548196.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
Copy60330548196.exe