Edit tour

Windows Analysis Report
AMFWReset.exe_

Overview

General Information

Sample name:	AMFWReset.exe_
Analysis ID:	1562584
MD5:	bcbf521304a3f6513072c640a99d9f01
SHA1:	1b542b20e95350735cdd8985dc3eca52eede751e
SHA256:	65e932a660d5b123fb20131605beb94a1b77ed7d922c6c9fddcef8640e1e45ca

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

AMFWReset.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\AMFWReset.exe" MD5: BCBF521304A3F6513072C640A99D9F01)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AMFWReset.exe_

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: AMFWReset.exe_

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: AMFWReset.exe_

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean1.winEXE_@1/0@0/0

Source: AMFWReset.exe_

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AMFWReset.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: amfwusers.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: mfcext.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: fwdbcore.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: mfc140.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\AMFWReset.exe	Section loaded: vcruntime140.dll

Source: AMFWReset.exe_

Static file information: File size 20915712 > 1048576

Source: AMFWReset.exe_

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13e6800

Source: AMFWReset.exe_	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AMFWReset.exe_	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AMFWReset.exe_	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AMFWReset.exe_	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AMFWReset.exe_	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AMFWReset.exe_	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AMFWReset.exe_

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: AMFWReset.exe_

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: AMFWReset.exe_	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AMFWReset.exe_	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AMFWReset.exe_	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AMFWReset.exe_	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AMFWReset.exe_	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562584
Start date and time:	2024-11-25 18:26:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	AMFWReset.exe_
Detection:	CLEAN
Classification:	clean1.winEXE_@1/0@0/0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: AMFWReset.exe_

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.309731044510036
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AMFWReset.exe_
File size:	20'915'712 bytes
MD5:	bcbf521304a3f6513072c640a99d9f01
SHA1:	1b542b20e95350735cdd8985dc3eca52eede751e
SHA256:	65e932a660d5b123fb20131605beb94a1b77ed7d922c6c9fddcef8640e1e45ca
SHA512:	da47d6e0a2eb554b8aec0ace505cf79cf35fdcf3e13ee9632302d119aacd0c23bbd2520d02a6727d38859a453d3b5a8185897f7f48a1357349ccd08c9d664d9c
SSDEEP:	1536:E9N36Qr5RqlddWrPA5CeBs81necdQWO6Y20XmzmK1C7cmJjoL62ahDL:E9N335IPwev/Qn6+mi7DJsL6T5L
TLSH:	9127C597F644C053EE669EB02F6CE1F08AABAF220F40548B36727BED4C742D7552856C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............y...y...y.......y.')....y...}...y...z...y...\|...y...x...y.;.x...y...x...y.;.\|...y.;.y...y.;.....y.......y.;.{...y.Rich..y

File Icon


Icon Hash:	55ad95cbcdd69395

Static PE Info

General

Entrypoint:	0x403c06
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F453B8 [Wed Sep 25 18:17:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c50adb3dc1e05a8bc7e06f4e65a68b9b

Entrypoint Preview

Instruction
call 00007F83AD272BFCh
jmp 00007F83AD271DFAh
jmp 00007F83AD271FC5h
push 0000000Ch
push 0040A428h
call 00007F83AD272224h
mov byte ptr [ebp-19h], 00000000h
mov ebx, dword ptr [ebp+0Ch]
mov eax, ebx
mov edi, dword ptr [ebp+10h]
imul eax, edi
mov esi, dword ptr [ebp+08h]
add esi, eax
mov dword ptr [ebp+08h], esi
and dword ptr [ebp-04h], 00000000h
mov eax, edi
dec edi
mov dword ptr [ebp+10h], edi
test eax, eax
je 00007F83AD271FD7h
sub esi, ebx
mov dword ptr [ebp+08h], esi
mov ecx, dword ptr [ebp+14h]
call dword ptr [004064C4h]
mov ecx, esi
call dword ptr [ebp+14h]
jmp 00007F83AD271FA3h
mov al, 01h
mov byte ptr [ebp-19h], al
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F83AD271FE3h
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop esi
pop ebx
leave
retn 0010h
mov edi, dword ptr [ebp+10h]
mov ebx, dword ptr [ebp+0Ch]
mov esi, dword ptr [ebp+08h]
mov al, byte ptr [ebp-19h]
test al, al
jne 00007F83AD271FCDh
push dword ptr [ebp+14h]
push edi
push ebx
push esi
call 00007F83AD271FF5h
ret
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
push edi
mov edi, dword ptr [esi]
cmp dword ptr [edi], E06D7363h
je 00007F83AD271FC8h
pop edi
xor eax, eax
pop esi
pop ebp
ret
call 00007F83AD2732A9h
mov dword ptr [eax], edi
mov esi, dword ptr [esi+04h]
call 00007F83AD2732A5h
mov dword ptr [eax], esi
call 00007F83AD27335Bh
int3
push 00000018h
push 0000A448h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xa4a0	0x6f8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab98	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0x13e6650	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13f4000	0xfe4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x95e8	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x96c0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9528	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x4c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4659	0x4800	ce24f65ef22889cd14ad4000099616d1	False	0.4906141493055556	data	6.089025382181755	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x5dd6	0x5e00	8f7d7d90ed738cd5aed4d81a6ba0c23a	False	0.3914561170212766	data	4.8686899613532955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xa18	0x400	bdc3697bedf37e9f784d6d0ad21b54cc	False	0.2509765625	data	3.0050895690340647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd000	0x13e6650	0x13e6800	c7e789080dc1cb33682d66c0b60a1992	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13f4000	0xfe4	0x1000	449ba34f358426bc0289c54ef39bca08	False	0.808837890625	data	6.487189663050039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd3a0	0x9eb4a4	Device independent bitmap graphic, 2573 x 2586 x 24, image size 10400892	English	United States	0.001010894775390625
RT_ICON	0x9f8844	0x70a8	Device independent bitmap graphic, 96 x 192 x 24, image size 28800	English	United States	0.18678918169209432
RT_ICON	0x9ff8ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.3261410788381743
RT_ICON	0xa01e94	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	English	United States	0.4719135802469136
RT_ICON	0xa02b3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7845744680851063
RT_ICON	0xa02fa4	0x9eb4a4	Device independent bitmap graphic, 2573 x 2586 x 24, image size 10400892	English	United States	0.001010894775390625
RT_ICON	0x13ee448	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 10368	English	United States	0.27003149055283415
RT_ICON	0x13f10f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.5071961620469083
RT_ICON	0x13f1f98	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5866425992779783
RT_ICON	0x13f2840	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4436416184971098
RT_DIALOG	0x13f2da8	0x112	data	English	United States	0.6532846715328468
RT_DIALOG	0x13f2ebc	0x184	data	English	United States	0.5592783505154639
RT_STRING	0x13f3040	0x46	data	English	United States	0.6714285714285714
RT_GROUP_ICON	0x13f3088	0x92	data	English	United States	0.6575342465753424
RT_VERSION	0x13f311c	0x304	data	English	United States	0.4585492227979275
RT_MANIFEST	0x13f3420	0x22f	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (499), with CRLF line terminators	English	United States	0.5295169946332737

Imports

DLL	Import
AMFWUsers.dll	??1CAMFWUsers@@UAE@XZ, ?LogAllOut@CAMFWUsers@@QAEHXZ, ?Read@CAMFWUsers@@QAEHPBDH@Z, ??0CAMFWUsers@@QAE@XZ
MFCExt.dll	StrFormatPath
fwdbCore.dll	??0XMLSerializer@@QAE@W4Mode@0@@Z, ?WriteValue@XMLSerializer@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z, ?WriteValue@XMLSerializer@@QAEXPBD@Z, ?WriteValue@XMLSerializer@@QAEXABH@Z, ?WriteValue@XMLSerializer@@QAEXAB_N@Z, ?WriteValue@XMLSerializer@@QAEXABM@Z, ?WriteValue@XMLSerializer@@QAEXABN@Z, ?WriteValue@XMLSerializer@@QAEXABJ@Z, ?ReadValue@XMLSerializer@@QAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z, ?ReadValue@XMLSerializer@@QAEXAAH@Z, ?ReadValue@XMLSerializer@@QAEXAA_N@Z, ?ReadValue@XMLSerializer@@QAEXAAM@Z, ?ReadValue@XMLSerializer@@QAEXAAN@Z, ?ReadValue@XMLSerializer@@QAEXAAJ@Z, ??1XMLSerializer@@QAE@XZ
mfc140.dll
KERNEL32.dll	OutputDebugStringW, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, GetCurrentProcess, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, CreateEventW, WaitForSingleObjectEx, ResetEvent, SetEvent, LeaveCriticalSection, EnterCriticalSection, CloseHandle, LoadLibraryW, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, SetLastError, OutputDebugStringA, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, DecodePointer, RaiseException
USER32.dll	GetSystemMenu, UnregisterClassA, EnableWindow, IsIconic, GetSystemMetrics, LoadIconW, AppendMenuA, GetClientRect, SendMessageA, DrawIcon
SHELL32.dll	SHGetSpecialFolderPathA
OLEAUT32.dll	SysFreeString
MSVCP140.dll	?_Xlength_error@std@@YAXPBD@Z
VCRUNTIME140.dll	__std_exception_destroy, __std_exception_copy, _purecall, __CxxFrameHandler3, memcpy, __std_terminate, memset, __current_exception, __current_exception_context, _CxxThrowException, _except_handler4_common, __std_type_info_destroy_list, memmove
api-ms-win-crt-runtime-l1-1-0.dll	_errno, _invalid_parameter_noinfo, _controlfp_s, terminate, _configure_narrow_argv, _register_thread_local_exe_atexit_callback, _seh_filter_dll, _initialize_narrow_environment, _exit, exit, _initterm_e, _initterm, _get_narrow_winmain_command_line, _c_exit, _set_app_type, _seh_filter_exe, _cexit, _crt_at_quick_exit, _crt_atexit, _execute_onexit_table, _register_onexit_function, _initialize_onexit_table, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-string-l1-1-0.dll	_strdup
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode, _recalloc
api-ms-win-crt-filesystem-l1-1-0.dll	_access, _mkdir
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_setmbcp, _configthreadlocale

Exports

Name	Ordinal	Address
??0CFWXMLSerializer@@QAE@W4Mode@XMLSerializer@@@Z	1	0x401360
??1CFWCmdActionScript@@UAE@XZ	2	0x401460
??1CFWXMLSerializer@@QAE@XZ	3	0x4014e0
??4CFWXMLFile@@QAEAAV0@$$QAV0@@Z	4	0x401550
??4CFWXMLFile@@QAEAAV0@ABV0@@Z	5	0x401560
??4CFWXMLSerializer@@QAEAAV0@$$QAV0@@Z	6	0x401570
??4CFWXMLSerializer@@QAEAAV0@ABV0@@Z	7	0x401590
??4fwBaseUI@@QAEAAV0@ABV0@@Z	8	0x4015b0
?ReadValue@CFWXMLSerializer@@QAEXAAH@Z	9	0x401820
?ReadValue@CFWXMLSerializer@@QAEXAAJ@Z	10	0x401830
?ReadValue@CFWXMLSerializer@@QAEXAAM@Z	11	0x401840
?ReadValue@CFWXMLSerializer@@QAEXAAN@Z	12	0x401850
?ReadValue@CFWXMLSerializer@@QAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z	13	0x401860
?ReadValue@CFWXMLSerializer@@QAEXAA_N@Z	14	0x401870
?SetEmptyBOOLValue@CFWXMLSerializer@@QAEXAAH@Z	15	0x401b10
?SetEmptyValue@CFWXMLSerializer@@QAEXAAH@Z	16	0x401b20
?SetEmptyValue@CFWXMLSerializer@@QAEXAAJ@Z	17	0x401b30
?SetEmptyValue@CFWXMLSerializer@@QAEXAAK@Z	18	0x401b40
?SetEmptyValue@CFWXMLSerializer@@QAEXAAM@Z	19	0x401b50
?SetEmptyValue@CFWXMLSerializer@@QAEXAAN@Z	20	0x401b60
?SetEmptyValue@CFWXMLSerializer@@QAEXAAV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@@Z	21	0x401b80
?SetEmptyValue@CFWXMLSerializer@@QAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z	22	0x401ba0
?SetEmptyValue@CFWXMLSerializer@@QAEXAA_N@Z	23	0x401bd0
?WriteValue@CFWXMLSerializer@@QAEXABH@Z	24	0x401c20
?WriteValue@CFWXMLSerializer@@QAEXABJ@Z	25	0x401c30
?WriteValue@CFWXMLSerializer@@QAEXABM@Z	26	0x401c40
?WriteValue@CFWXMLSerializer@@QAEXABN@Z	27	0x401c50
?WriteValue@CFWXMLSerializer@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z	28	0x401c60
?WriteValue@CFWXMLSerializer@@QAEXAB_N@Z	29	0x401c70
?WriteValue@CFWXMLSerializer@@QAEXPBD@Z	30	0x401c80

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AMFWReset.exe_

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
AMFWReset.exe_