Edit tour

Windows Analysis Report
llrI4LHbAT.exe

Overview

General Information

Sample name:	llrI4LHbAT.exe renamed because original name is a hash value
Original sample name:	e670bd04bac313f2684a515ae7771e26.bin.exe
Analysis ID:	1430634
MD5:	e670bd04bac313f2684a515ae7771e26
SHA1:	0bded097979c3e25819204d45b2187fa1d1a6dfd
SHA256:	6855843f9d23ab29ea40bd14abee4b8d8b28245c44d3154e0bc0c66ae6e3002a
Tags:	exeprg
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Detected potential crypto function

Entry point lies outside standard sections

One or more processes crash

PE file contains sections with non-standard names

Uses 32bit PE files

Classification

Process Tree

System is w10x64

llrI4LHbAT.exe (PID: 3252 cmdline: "C:\Users\user\Desktop\llrI4LHbAT.exe" MD5: E670BD04BAC313F2684A515AE7771E26)

WerFault.exe (PID: 5636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: llrI4LHbAT.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: llrI4LHbAT.exe

ReversingLabs: Detection: 94%

Machine Learning detection for sample

Source: llrI4LHbAT.exe

Joe Sandbox ML: detected

Source: llrI4LHbAT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\llrI4LHbAT.exe

Code function: 0_2_00408B28

0_2_00408B28

Source: C:\Users\user\Desktop\llrI4LHbAT.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 252

Source: llrI4LHbAT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3252

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\55d197a4-f42e-4aff-a716-2233d5634139

Jump to behavior

Source: C:\Users\user\Desktop\llrI4LHbAT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: llrI4LHbAT.exe

ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\llrI4LHbAT.exe "C:\Users\user\Desktop\llrI4LHbAT.exe"
Source: C:\Users\user\Desktop\llrI4LHbAT.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 252

Source: C:\Users\user\Desktop\llrI4LHbAT.exe

Section loaded: apphelp.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .nwn

Source: llrI4LHbAT.exe	Static PE information: section name: .doz
Source: llrI4LHbAT.exe	Static PE information: section name: .xir
Source: llrI4LHbAT.exe	Static PE information: section name: .anydwp
Source: llrI4LHbAT.exe	Static PE information: section name: .nwn

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
llrI4LHbAT.exe	95%	ReversingLabs	Win32.Trojan.Zeus
llrI4LHbAT.exe	100%	Avira	TR/Crypt.XPACK.Gen
llrI4LHbAT.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430634
Start date and time:	2024-04-24 01:18:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	llrI4LHbAT.exe renamed because original name is a hash value
Original Sample Name:	e670bd04bac313f2684a515ae7771e26.bin.exe
Detection:	MAL
Classification:	mal60.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target llrI4LHbAT.exe, PID 3252 because there are no executed function
VT rate limit hit for: llrI4LHbAT.exe

Simulations

Behavior and APIs

Time	Type	Description
01:19:04	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_llrI4LHbAT.exe_ef622c309367ec50eda8f77493cd3fb72f9ad25d_bd688d59_ab2be670-9e5c-4ae4-ab5c-55db87e0ca41\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6614705497277429
Encrypted:	false
SSDEEP:	96:egFKjdH+2sxhFj7IfQQXIDcQ2c6ScEjcw3Cc+HbHg/uAnhZAX/d5FMT2SlPkpXm2:zMjde2R0oWZgjRzuiF0Z24IO8r
MD5:	011A8BB32C78C62E3F1547CAB0855375
SHA1:	A84A65B8EE1CACD32B6ACF103A7A01C5A5662BB8
SHA-256:	AEC5A9FB49C12B4FE499999152C618B730A2EBB4F030341E3EA3758109F85B82
SHA-512:	E99F0245E8D7CF3F4168425C5789C926F57F2D49ED5507CB8CD33E7F9ECB2498B25B98F1FD4958A68BFAA8DCEFB7ED401B80F3689F9EF518D40C9A51F071E6EB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.8.7.9.3.1.9.0.1.5.5.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.8.7.9.3.2.2.9.2.1.8.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.2.b.e.6.7.0.-.9.e.5.c.-.4.a.e.4.-.a.b.5.c.-.5.5.d.b.8.7.e.0.c.a.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.1.e.e.4.9.e.-.e.3.a.9.-.4.3.d.d.-.a.0.4.9.-.f.9.c.9.8.e.1.5.6.4.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.l.r.I.4.L.H.b.A.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.b.4.-.0.0.0.1.-.0.0.1.4.-.e.f.b.6.-.3.a.9.a.d.4.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.6.b.a.2.b.c.9.5.c.e.1.0.5.a.9.b.1.c.e.5.6.6.a.c.3.4.7.2.7.f.8.0.0.0.0.f.f.f.f.!.0.0.0.0.0.b.d.e.d.0.9.7.9.7.9.c.3.e.2.5.8.1.9.2.0.4.d.4.5.b.2.1.8.7.f.a.1.d.1.a.6.d.f.d.!.l.l.r.I.4.L.H.b.A.T...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BFA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Apr 23 23:18:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	38690
Entropy (8bit):	2.048824454446006
Encrypted:	false
SSDEEP:	192:YkuufO5II3I0a7uIVFTrtGaiO60lAL0Nszn2nn8v:PWr3m7vxteLYWnp
MD5:	1EE810A5D07D98FFDCE65370783B3217
SHA1:	AD977900870361417DF5217BE1D24D0906FA97C0
SHA-256:	2FB883D0F1917FF76B37C38168563D8B273C81532B9BABB3D9D43AECB7640CB2
SHA-512:	4F1315F937152CC921A3303AF81E5A4CD271C837D111165E637F56EE6ED89B7BF4C3B73EEA8DA8CFD7DC602318EF0D96374515E1B5D8A168C641154681DBBF09
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........A(f........................<...........................T.......8...........T...........8..........................................................................................................eJ......\.......GenuineIntel............T............A(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C59.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8292
Entropy (8bit):	3.696240837116499
Encrypted:	false
SSDEEP:	192:R6l7wVeJLn6dm6YEIJSU9eZgmfLvpDT89bcksf0X0m:R6lXJr686YEGSU9eZgmfLOcXf4
MD5:	CFA18B9B3C7AC23D9CC8A9F201DF26CC
SHA1:	7BA8BC7E2953BCCCBEC7CDE22A1E0714A436963C
SHA-256:	3831C8DBB69C81DAA0A37C8A5F620607526D4FCD20B6A9F487C0A6E12A1B32A4
SHA-512:	D01F7E189107FAA8C798654430E381C6E2110EC77E4832B3138FD02120919F932F5353137743D59F29410F312C00E9FED0E5CE1AB85B33341BBBE0380937582E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CC7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.463310786098289
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEJg77aI9T9k3hWpW8VYrYm8M4JIfkFmG7l+q8AhpZ+ZZf+2d:uIjfCI7XkA7VTJ68Dpqf+2d
MD5:	157E06439CB09FE2FB63EDFBE65BC033
SHA1:	3F82E85DFD733C94858365E76056C4696AEA60B8
SHA-256:	11D34EA8743130D5283294E0EAA4A81B4B3B0033714405B9D0A1D30E4DADFE7D
SHA-512:	C14316A34B5030DDDEBC8CD24D57F7B229487FD95C1CD90390C79606CEE76B4A674F5FD77ECB8653B276E434932AB65E71F432A8CAD27C8849100883A2FF7A47
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293181" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.42156039869844
Encrypted:	false
SSDEEP:	6144:ISvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:TvloTMW+EZMM6DFyD03w
MD5:	39A4D66A0795F5DECBB4551AF90E2F3B
SHA1:	EC05CCA36B8C7AED2A2030C9E9BCA124669618F8
SHA-256:	3928A28A8C042E202E676F223015C7CC85919CA22C5BDC406D8ABD4C8F58F1A6
SHA-512:	B88907331A0AFB2B3E187F5F54BF1594B5237E46F3B590B6CE169CE15705978F64909D54A508D9EA0575C2D42E8B2C7EF7894BFD49D224CD56B202C14D22F48F
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................Zi.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.767895397959167
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	llrI4LHbAT.exe
File size:	40'960 bytes
MD5:	e670bd04bac313f2684a515ae7771e26
SHA1:	0bded097979c3e25819204d45b2187fa1d1a6dfd
SHA256:	6855843f9d23ab29ea40bd14abee4b8d8b28245c44d3154e0bc0c66ae6e3002a
SHA512:	90593508224565aa30a0338a17793f1ea9ce4b268b48537c7f9fdd1fa2a2f757cc4df9c0c09ca357888e9e033bd61bce17d1524a09b1486f0c65470509ce108d
SSDEEP:	768:KYhLvnwxbpvdGirqQxxgsMo08YQGl3FFGNkvZp7GAZQbJTiZlGO+:KYVvnQpvdGeV6eniVFRZp7dQbJj3
TLSH:	B1038C5A7BA1C0B2CAA140727A57FF563BEED82744259C47C7745DD02A30A02A63FF4B
File Content Preview:	MZ......cryp......6.`...`...`....O..`....-......................^}f}(@.vT.K.N.Q.H...@.>.).+.,o..#x)..........^}f}(@..NzV.Q.S.FW5.;`$PE..L.....F<.....................&......m ... ........@....................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41206d
Entrypoint Section:	.nwn
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x3C469D97 [Thu Jan 17 09:47:03 2002 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	773d45c1468496235f40d0936a1c1a06

Entrypoint Preview

Instruction
xor esi, esi
mov eax, 0041208Bh
mov ebx, 004121B5h
inc byte ptr [eax]
inc eax
cmp eax, ebx
jne 00007FDA2CD8A70Bh
inc esi
cmp esi, 00033CC1h
jne 00007FDA2CD8A6F8h
xor esi, esi
nop
nop
nop
mov eax, 0040017Ch
mov esi, dword ptr [eax+0Ch]
add esi, 00400000h
mov edi, 004121B5h
call 00007FDA2CD8A74Fh
mov ecx, dword ptr [esi]
mov edi, esi
mov esi, 004121B5h
rep movsb
add eax, 28h
cmp eax, 004001F4h
jc 00007FDA2CD8A6EAh
mov eax, dword ptr [esp]
push 000010C4h
push 00400128h
push 00010000h
push 00400124h
push eax
push 00400000h
mov eax, 00404714h
call eax
ret
pushad
mov ebx, 00184171h
mov ecx, 00000000h
mov edx, 00000000h
sub byte ptr [esi], bl
shr ebx, 08h
inc ecx
cmp ecx, 04h
jne 00007FDA2CD8A71Ch
mov ebx, 00184171h
mov ecx, 00000000h
inc esi
inc edx
cmp edx, 08h
jl 00007FDA2CD8A6F6h
jnle 00007FDA2CD8A717h
mov eax, dword ptr [esi-04h]
add eax, esi
cmp esi, eax
jl 00007FDA2CD8A6EBh
popad
pushad
add esi, 08h
mov ebp, FFFFFFFFh
cld
jmp 00007FDA2CD8A717h
movsb
add ebx, ebx
jne 00007FDA2CD8A719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FDA2CD8A704h
xor eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12010	0x5e	.nwn
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0x10c4	.anydwp
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.doz	0x1000	0xcef8	0x8400	a2a1d9737a10a764b6ae60d1dca4f6ad	False	0.6451822916666666	data	6.735877329677046	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.xir	0xe000	0x13d0	0x400	cfedb46539cdc370ada3950dd2821bb5	False	0.5126953125	data	3.9033531703359197	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.anydwp	0x10000	0x10f6	0x1200	0247e91eefb3ba106268ce7b87431404	False	0.7884114583333334	data	6.517911838580675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.nwn	0x12000	0xf000	0x200	a3fd357ac7217b479d395ab1127b058b	False	0.76953125	OpenPGP Public Key	5.695344086670475	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
advapi32.dll	GetServiceDisplayNameA

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: llrI4LHbAT.exePID: 3252, Parent PID: 1028

General

Target ID:	0
Start time:	01:18:51
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\llrI4LHbAT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\llrI4LHbAT.exe"
Imagebase:	0x400000
File size:	40'960 bytes
MD5 hash:	E670BD04BAC313F2684A515AE7771E26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5636, Parent PID: 3252

General

Target ID:	4
Start time:	01:18:51
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 252
Imagebase:	0xf50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: llrI4LHbAT.exePID: 3252, Parent PID: 1028COMMON

Non-executed Functions

Function 00408B28 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117270379.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2117256147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117286382.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117300855.0000000000410000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117315724.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_llrI4LHbAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
Instruction ID: 7d39df98114f1653e0e5c9d24845c47ba7b704fb9b46c3858bbf9f9f350696f7
Opcode Fuzzy Hash: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
Instruction Fuzzy Hash: 4C818F32D0552ADBDB14CE58C6406ADB7B1EB85324F1542AAEC927B3C1CB38AD41DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004070BE Relevance: 15.4, Strings: 12, Instructions: 416COMMON

Download Yara Rule

Strings

CONNECT , xrefs: 00407127
Proxy-, xrefs: 00407272
Connection: , xrefs: 0040723C
Host: , xrefs: 00407295
Connection: close, xrefs: 00407530
HTTP/1.0 200 Connection established, xrefs: 00407441
*keep-alive*, xrefs: 00407257
P, xrefs: 004071AC
http://, xrefs: 0040716A
Content-Length: , xrefs: 004072CA, 004074CA
/, xrefs: 0040715B
Proxy-Connection: , xrefs: 0040721B

Memory Dump Source

Source File: 00000000.00000002.2117270379.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2117256147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117286382.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117300855.0000000000410000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117315724.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_llrI4LHbAT.jbxd

Similarity

API ID:
String ID: *keep-alive*$/$CONNECT $Connection: $Connection: close$Content-Length: $HTTP/1.0 200 Connection established$Host: $P$Proxy-$Proxy-Connection: $http://
API String ID: 0-737691513
Opcode ID: 37425a04a9fb94eb29bd051616680d827b7545797bb852f54f9fd6411f8c2840
Instruction ID: 028d741e91522fce9a418a9e44293db95840e2613fe04ad9401a0206ae50e9dd
Opcode Fuzzy Hash: 37425a04a9fb94eb29bd051616680d827b7545797bb852f54f9fd6411f8c2840
Instruction Fuzzy Hash: F0D11371D08306BAEB216B71CC4AFAF7EA8DF11304F14047BF940B52D2EA7DA950975A

Uniqueness

Uniqueness Score: -1.00%

Function 00407E7A Relevance: 8.9, Strings: 7, Instructions: 177COMMON

Download Yara Rule

Strings

&pr=, xrefs: 00408009
&v=, xrefs: 00407EFE
&s=, xrefs: 00407F73
&lcp=, xrefs: 00407FD3
&i=, xrefs: 00407F2F
&sp=, xrefs: 00407F9A
&n=, xrefs: 00407EEC

Memory Dump Source

Source File: 00000000.00000002.2117270379.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2117256147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117286382.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117300855.0000000000410000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117315724.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_llrI4LHbAT.jbxd

Similarity

API ID:
String ID: &i=$&lcp=$&n=$&pr=$&s=$&sp=$&v=
API String ID: 0-1780237566
Opcode ID: 5480b9c89b62b124dc859b6d0c31e836f3c1caec9e7d40875802f04511655f1d
Instruction ID: 3c9602c0e981aa38eb4b21b92629bb3b52244cba5528982d46ee0065ad6ea5ba
Opcode Fuzzy Hash: 5480b9c89b62b124dc859b6d0c31e836f3c1caec9e7d40875802f04511655f1d
Instruction Fuzzy Hash: 7451B3B2900315BEDB01FB76CE42EEB37ACAB15708F14453EB950F3191EA78952487A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404714 Relevance: 5.4, Strings: 4, Instructions: 388COMMON

Download Yara Rule

Strings

VirtualProtect, xrefs: 00404740
LoadLibraryA, xrefs: 0040474E
ExitProcess, xrefs: 00404735
GetProcAddress, xrefs: 0040475B

Memory Dump Source

Source File: 00000000.00000002.2117270379.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2117256147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117286382.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117300855.0000000000410000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2117315724.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_llrI4LHbAT.jbxd

Similarity

API ID:
String ID: ExitProcess$GetProcAddress$LoadLibraryA$VirtualProtect
API String ID: 0-4138668056
Opcode ID: 0a218a25fa79aee3a30c648572788efbc9fee402d59857677bbf6ab0b17a24cc
Instruction ID: 7b46cc9055401ed2876dc33509f4584140f475fa3e23990bc227b811cc0f8a0a
Opcode Fuzzy Hash: 0a218a25fa79aee3a30c648572788efbc9fee402d59857677bbf6ab0b17a24cc
Instruction Fuzzy Hash: 93D1C3B2500209BFDB10AF65DD85EAB3B6CEF44304F14487AF601B71E2DA39DD609B69

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report llrI4LHbAT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_llrI4LHbAT.exe_ef622c309367ec50eda8f77493cd3fb72f9ad25d_bd688d59_ab2be670-9e5c-4ae4-ab5c-55db87e0ca41\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BFA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C59.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CC7.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: llrI4LHbAT.exePID: 3252, Parent PID: 1028

General

Chronological Activities

Analysis Process: WerFault.exePID: 5636, Parent PID: 3252

General

Chronological Activities

Windows Analysis Report
llrI4LHbAT.exe