Edit tour

Windows Analysis Report
Cobian.Reflector.RemoteClient.exe

Overview

General Information

Sample name:	Cobian.Reflector.RemoteClient.exe
Analysis ID:	1417453
MD5:	c4273522e62e91d6c809299f134b7899
SHA1:	a4f4b7e92dbd9b60f1f27d0e615356804d596b24
SHA256:	cacb9e288755986ad4846c480c46a7b6d2d428816b236e5f18185fb074e7ed14
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

Cobian.Reflector.RemoteClient.exe (PID: 772 cmdline: "C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe" MD5: C4273522E62E91D6C809299F134B7899)

WerFault.exe (PID: 2228 cmdline: C:\Windows\system32\WerFault.exe -u -p 772 -s 1004 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: certificate valid

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: e.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: D:\Projects\Cobian Reflector 2\RemoteClient\obj\Release\Cobian.Reflector.RemoteClient.pdb, # source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb4 source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb9u source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: PresentationFramework.pdb H source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbdlllZ source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbF source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Cobian Reflector 2\RemoteClient\obj\Release\Cobian.Reflector.RemoteClient.pdbz! source: Cobian.Reflector.RemoteClient.exe
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: WindowsBase.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFA5000.00000004.00000020.00020000.00000000.sdmp, WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFA7000.00000004.00000020.00020000.00000000.sdmp, WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.ni.pdbRSDSDg{V source: WER737B.tmp.dmp.3.dr
Source:	Binary string: D:\Projects\Cobian Reflector 2\RemoteClient\obj\Release\Cobian.Reflector.RemoteClient.pdb source: Cobian.Reflector.RemoteClient.exe
Source:	Binary string: PresentationCore.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: WindowsBase.pdbH source: WER737B.tmp.dmp.3.dr
Source:	Binary string: Cobian.Reflector.RemoteClient.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Cobian.Reflector.RemoteClient.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msrlib.pdb3693405117-2476756634 source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER737B.tmp.dmp.3.dr
Source:	Binary string: ll\mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: PresentationCore.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: orlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr

Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713082477.000001C6A27E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Cobian.Reflector.RemoteClient;component/app.xaml
Source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713082477.000001C6A27E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/app.xaml
Source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713082477.000001C6A27E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/app.baml
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: Cobian.Reflector.RemoteClient.exe	String found in binary or memory: https://www.certum.pl/CPS0

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Code function: 0_2_00007FFD9B8806FA		0_2_00007FFD9B8806FA
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Code function: 0_2_00007FFD9B880E83		0_2_00007FFD9B880E83

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 772 -s 1004

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Section loaded: profapi.dll	Jump to behavior

Source: Cobian.Reflector.RemoteClient.exe, TaskEditor.cs

Task registration methods: '_CreateDelegate'

Source: classification engine

Classification label: clean4.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess772

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9c3b185e-f5cb-4d3c-9e65-e00b01086e1a

Jump to behavior

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Cobian.Reflector.RemoteClient.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

File read: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe "C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe"
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 772 -s 1004

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: certificate valid

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: e.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: D:\Projects\Cobian Reflector 2\RemoteClient\obj\Release\Cobian.Reflector.RemoteClient.pdb, # source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb4 source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb9u source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: PresentationFramework.pdb H source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbdlllZ source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbF source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Cobian Reflector 2\RemoteClient\obj\Release\Cobian.Reflector.RemoteClient.pdbz! source: Cobian.Reflector.RemoteClient.exe
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr
Source:	Binary string: WindowsBase.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFA5000.00000004.00000020.00020000.00000000.sdmp, WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFA7000.00000004.00000020.00020000.00000000.sdmp, WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.ni.pdbRSDSDg{V source: WER737B.tmp.dmp.3.dr
Source:	Binary string: D:\Projects\Cobian Reflector 2\RemoteClient\obj\Release\Cobian.Reflector.RemoteClient.pdb source: Cobian.Reflector.RemoteClient.exe
Source:	Binary string: PresentationCore.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.Xaml.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: WindowsBase.pdbH source: WER737B.tmp.dmp.3.dr
Source:	Binary string: Cobian.Reflector.RemoteClient.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Cobian.Reflector.RemoteClient.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msrlib.pdb3693405117-2476756634 source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER737B.tmp.dmp.3.dr
Source:	Binary string: ll\mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713371096.000001C6BAFB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: PresentationCore.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER737B.tmp.dmp.3.dr
Source:	Binary string: orlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1712717562.000001C6A0C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER737B.tmp.dmp.3.dr

Source: Cobian.Reflector.RemoteClient.exe

Static PE information: 0xD2F28F76 [Mon Feb 23 22:36:38 2082 UTC]

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Memory allocated: 1C6A2620000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Memory allocated: 1C6BA7C0000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

Queries volume information: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Cobian.Reflector.RemoteClient.exe	0%	ReversingLabs
Cobian.Reflector.RemoteClient.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://defaultcontainer/Cobian.Reflector.RemoteClient;component/app.xaml	0%	Avira URL Cloud	safe
http://ccsca2021.ocsp-certum.com05	0%	Avira URL Cloud	safe
http://foo/app.xaml	0%	Avira URL Cloud	safe
http://foo/bar/app.baml	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://repository.certum.pl/ctsca2021.cer0A	Cobian.Reflector.RemoteClient.exe	false		high
http://crl.certum.pl/ctsca2021.crl0o	Cobian.Reflector.RemoteClient.exe	false		high
http://repository.certum.pl/ctnca.cer09	Cobian.Reflector.RemoteClient.exe	false		high
http://crl.certum.pl/ctnca.crl0k	Cobian.Reflector.RemoteClient.exe	false		high
http://subca.ocsp-certum.com05	Cobian.Reflector.RemoteClient.exe	false	URL Reputation: safe	unknown
http://foo/app.xaml	Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713082477.000001C6A27E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://subca.ocsp-certum.com02	Cobian.Reflector.RemoteClient.exe	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	Cobian.Reflector.RemoteClient.exe	false	URL Reputation: safe	unknown
http://defaultcontainer/Cobian.Reflector.RemoteClient;component/app.xaml	Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713082477.000001C6A27E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.certum.pl/ctnca2.crl0l	Cobian.Reflector.RemoteClient.exe	false		high
http://repository.certum.pl/ctnca2.cer09	Cobian.Reflector.RemoteClient.exe	false		high
http://ccsca2021.crl.certum.pl/ccsca2021.crl0s	Cobian.Reflector.RemoteClient.exe	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://ccsca2021.ocsp-certum.com05	Cobian.Reflector.RemoteClient.exe	false	Avira URL Cloud: safe	unknown
http://foo/bar/app.baml	Cobian.Reflector.RemoteClient.exe, 00000000.00000002.1713082477.000001C6A27E8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.certum.pl/CPS0	Cobian.Reflector.RemoteClient.exe	false		high
http://www.certum.pl/CPS0	Cobian.Reflector.RemoteClient.exe	false		high
http://repository.certum.pl/ccsca2021.cer0	Cobian.Reflector.RemoteClient.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417453
Start date and time:	2024-03-29 10:28:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cobian.Reflector.RemoteClient.exe
Detection:	CLEAN
Classification:	clean4.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Cobian.Reflector.RemoteClient.exe, PID 772 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:29:31	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Cobian.Reflector_864eeece3af2e1c7577532f3abfe40b0d7aafd64_21c124f6_7e44faf3-9f28-439f-9dbd-445dce6a0f1d\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1342406582874849
Encrypted:	false
SSDEEP:	192:UFmZrbgn501Pfkxf0aK2pVldolThzuiFDZ24lO89:1rbga1PfkxcaNp4NzuiFDY4lO89
MD5:	5B3C9B4FECFBF0033CF3693F3D2894F2
SHA1:	0F0E1E877417A9E2362D0F3D2D8A8F9A12439C42
SHA-256:	7B3760900EC343830F9CF66E055FDE694F8896231B44CDF3E11679B65DF1980F
SHA-512:	4101FE9E12418054501C0E4D9EFE63C0E0F3A1ED35F039A66EFCE7AD82C69197DD03617BCCEFF0602A3FF40D69547B40E32B8E47C3E39A9E73D7A41CA02D0EE1
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.7.8.1.6.2.1.2.7.1.0.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.7.8.1.6.2.9.5.5.2.2.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.4.4.f.a.f.3.-.9.f.2.8.-.4.3.9.f.-.9.d.b.d.-.4.4.5.d.c.e.6.a.0.f.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.b.c.b.1.2.6.-.e.8.b.4.-.4.8.1.6.-.a.6.3.a.-.7.9.4.9.c.0.1.9.9.9.f.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.C.o.b.i.a.n...R.e.f.l.e.c.t.o.r...R.e.m.o.t.e.C.l.i.e.n.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.o.b.i.a.n...R.e.f.l.e.c.t.o.r...R.e.m.o.t.e.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.0.4.-.0.0.0.1.-.0.0.1.4.-.9.d.3.b.-.7.4.9.4.b.b.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.a.2.8.3.d.3.1.c.5.b.5.b.7.0.b.d.f.d.7.e.8.3.3.9.e.d.e.e.6.0.2.0.0.0.0.0.0.0.0.!.0.0.0.0.a.4.f.4.b.7.e.9.2.d.b.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER737B.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Mar 29 09:29:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	488696
Entropy (8bit):	3.7361029510681973
Encrypted:	false
SSDEEP:	6144:Urv1oIHsasRiuoPyrTqKL11YgrzYfxqYDpWla3QM8d:Ov13mR7OKx1YWuqapWl6QM8d
MD5:	2931E116F033D6C8F29BBB464F6D5473
SHA1:	C98ACFDD2C0058B31BA46EA71FCB0B9B8BF6483A
SHA-256:	CDA57B0F8A922F1F9EBAACDAF521BDCC4582D5501BCBA6745C132CADC0960AF7
SHA-512:	E0855EFA6FE8F15AF28950C661520E0459E02D509E18C937288078DBB543B1E3F5AC3F16C67B7A98EAD6824F4101806B055E60D7B0FFFC56820A9D6C3D21581B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........f........................`...........$...4.......h...X........:...]..........l.......8...........T............'..8M...........#...........%..............................................................................eJ......D&......Lw......................T.............f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75AF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8696
Entropy (8bit):	3.6928414146295254
Encrypted:	false
SSDEEP:	192:R6l7wVeJsuZXhzh6Y9iv5bNDogmfZtDS8fmprT89bMQ9f8km:R6lXJdZXD6YovVNMgmfzDS8/MCfG
MD5:	F1345F0AC6FD6BD24BD40C6D7CC14B41
SHA1:	1C13A48648D5265CE236358F3C363576EEA34B6B
SHA-256:	5A3FFE0DBD92490CB3F6E89C5A635F9867274DF16B0EB89ACAD8BBD5E30B8BA7
SHA-512:	57CA194958E0A578F5E58BD1546FA062F78A2FE60E15A970C0B5235C6A64B82AE083D8976EBB35A657174064134108CFFA59CB2FD72F1655563BD90BA7BD81D7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.2.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER763C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4943
Entropy (8bit):	4.51780953387543
Encrypted:	false
SSDEEP:	48:cvIwWl8zsfJg771I9xuWpW8VY2Ym8M4JymO2FM4yq8vhmOE/0ncd:uIjfBI7yP7VGJygWhI/0ncd
MD5:	A7F8532DB1C69535C2DDAE9F2D92DFAA
SHA1:	AF7447E011D21CDB7408B69084BAB27FB8D28C2A
SHA-256:	5F657A2CA563164CD2753E9E8B085ECF1E4A9803536161E35B26AD2452B2E6B9
SHA-512:	E11689835A644C3C60633C9C708D85A9689BD0F2F0EE4F78C808FA83C5281021B96170EEDC855923995AEED93348E48366FA37B38FE334E4748DFBCED336204C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="256352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465921641943313
Encrypted:	false
SSDEEP:	6144:bIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN5dwBCswSb67:8XD94+WlLZMM6YFHb+67
MD5:	18C2FD6EFB246487A17DDAFA21394D72
SHA1:	E63F4465460BE3A12015D54F025E7BBDF01A00F6
SHA-256:	EDB0FDB5DA65D1B37CF976DFF6E015AA56FF0303743461C23DE9F988F3896488
SHA-512:	D2FF27A9A11C062A5514AC7A00619C713C4479C26AEC2975D771ACFDEE85BA7D504502850D8C47014C94DEFF2543B03A3E4E0A2CA0176F2522A2A5822950A81A
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Z...................................................................................................................................................................................................................................................................................................................................................A..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.505894807541053
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Cobian.Reflector.RemoteClient.exe
File size:	605'520 bytes
MD5:	c4273522e62e91d6c809299f134b7899
SHA1:	a4f4b7e92dbd9b60f1f27d0e615356804d596b24
SHA256:	cacb9e288755986ad4846c480c46a7b6d2d428816b236e5f18185fb074e7ed14
SHA512:	c966a6a7208dd1502f7a1925f783da191f3bbb1d1f8ebc8d0109f7bbe8a511d6e39789d34f02c3c8c0d9a618ab5d18361f49a76d28ed1ec6e04b6371777f23fc
SSDEEP:	3072:btlvkGGeKTF4U/wreQxDi9txsEXCN6rtmPFi4nApsvczgm5Fi4nA4BS9lsqwuTkT:H4BTgfVSxJmU4nNLmu4n8nsx22
TLSH:	D4D4811362365416C967017904B0A1132BAEE93641FB8BB608C525BF67E327AFFCE357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v............."...0..............!... ...@....@.. ..............................-.....`................................

File Icon


Icon Hash:	8318d898d8181803

Static PE Info

General

Entrypoint:	0x4621a6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD2F28F76 [Mon Feb 23 22:36:38 2082 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/08/2022 15:04:22 25/08/2024 15:04:21
Subject Chain	CN=Luis Cobian Dorta, O=Luis Cobian Dorta, S=V\xe4sterbotten, C=SE
Version:	3
Thumbprint MD5:	5B12FD2E17835497AD42D3322B241F3C
Thumbprint SHA-1:	D9AD5C73A05F98205FB4C7BE9EB22A6D1EA1DC3F
Thumbprint SHA-256:	6881BDFBDEF461C7B6D27B31B12926D292107BF07B83A2C5E87F93D4AE2B165F
Serial:	4CAB23B96CCA481B629565A64BF4B83C

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x62152	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x30ff0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x91600	0x2750	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x620a8	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x601ac	0x60200	34b2134597e079c9a4e20c527be2f719	False	0.3211430225942783	data	5.763016216566963	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x30ff0	0x31000	3b939f21a604cf1e5d62bc3bb6035702	False	0.31858358577806123	data	4.675015379837106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	d4f8a98e5d16ad63812cac29c07ffb22	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x64340	0x2e07	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9965204107612662
RT_ICON	0x67158	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.24451219512195121
RT_ICON	0x677d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.31451612903225806
RT_ICON	0x67ac8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	0.39139344262295084
RT_ICON	0x67cc0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.4527027027027027
RT_ICON	0x67df8	0x1386	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9645858343337335
RT_ICON	0x69190	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.1300639658848614
RT_ICON	0x6a048	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.14124548736462095
RT_ICON	0x6a900	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.1497695852534562
RT_ICON	0x6afd8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.14378612716763006
RT_ICON	0x6b550	0x5d7a	PNG image data, 768 x 768, 8-bit/color RGBA, non-interlaced	0.8767237776849144
RT_ICON	0x712dc	0x47fb	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	0.8159222879470343
RT_ICON	0x75ae8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.03656985685555424
RT_ICON	0x86320	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.06113678373382625
RT_ICON	0x8b7b8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.06400566839867737
RT_ICON	0x8f9f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.09066390041493776
RT_ICON	0x91fa8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.13602251407129456
RT_ICON	0x93060	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.1762295081967213
RT_ICON	0x939f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.25975177304964536
RT_GROUP_ICON	0x93e70	0x110	data	0.5955882352941176
RT_VERSION	0x93f90	0x46c	data	0.3710247349823322
RT_MANIFEST	0x9440c	0xbdd	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.4003951267698387

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Cobian.Reflector.RemoteClient.exePID: 772, Parent PID: 2580

General

Target ID:	0
Start time:	10:29:21
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Cobian.Reflector.RemoteClient.exe"
Imagebase:	0x7ff7699e0000
File size:	605'520 bytes
MD5 hash:	C4273522E62E91D6C809299F134B7899
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2228, Parent PID: 772

General

Target ID:	3
Start time:	10:29:21
Start date:	29/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 772 -s 1004
Imagebase:	0x7ff7d6ac0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Cobian.Reflector.RemoteClient.exePID: 772, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8806FA Relevance: 3.9, Strings: 3, Instructions: 193COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD9B880772
O_^, xrefs: 00007FFD9B880762
O_^, xrefs: 00007FFD9B88072A

Memory Dump Source

Source File: 00000000.00000002.1713762410.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Cobian.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^
API String ID: 0-2354738860
Opcode ID: 5be20982376d463f0bb484e0969bd572260b04b0e2715c32c8ea119b7d896c87
Instruction ID: 354319e505e1351b1e68edddf39ae41c84d5d158291a849785352abd22d31041
Opcode Fuzzy Hash: 5be20982376d463f0bb484e0969bd572260b04b0e2715c32c8ea119b7d896c87
Instruction Fuzzy Hash: FC51E6A3B0EADB4FE356577C68B41E53B50EF56A6870A40F7C0E98F0A7EC28154B8241

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B880E83 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713762410.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_Cobian.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b4068220023e995f1b3c2712e3560336697ebb9fbb62533cdbbdc4136effd8
Instruction ID: 855f5ba20c2b2c4bb3b954f288ba7ff24386398ee639724959d76286b0e9d23e
Opcode Fuzzy Hash: 24b4068220023e995f1b3c2712e3560336697ebb9fbb62533cdbbdc4136effd8
Instruction Fuzzy Hash: A671AF17A0EAEB5FE722A77C58751E57F60DF5A62470A00F7C0E48F4E39928690A8351

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cobian.Reflector.RemoteClient.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Cobian.Reflector_864eeece3af2e1c7577532f3abfe40b0d7aafd64_21c124f6_7e44faf3-9f28-439f-9dbd-445dce6a0f1d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER737B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75AF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER763C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Cobian.Reflector.RemoteClient.exePID: 772, Parent PID: 2580

General

Windows Analysis Report
Cobian.Reflector.RemoteClient.exe