Edit tour

Windows Analysis Report
LNTi2c9njT.exe

Overview

General Information

Sample name:	LNTi2c9njT.exe renamed because original name is a hash value
Original sample name:	051e19c60f16f4a60e81a624b8000a9e.bin.exe
Analysis ID:	1430677
MD5:	051e19c60f16f4a60e81a624b8000a9e
SHA1:	ab6881452544684fdd7826209ea3ad407cf8ce6c
SHA256:	860b10d5f6ed534bff3a8097a8fe08a5914e6b20631d9ee11cc05eb606324826
Tags:	exeprg
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

Entry point lies outside standard sections

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LNTi2c9njT.exe (PID: 2352 cmdline: "C:\Users\user\Desktop\LNTi2c9njT.exe" MD5: 051E19C60F16F4A60E81A624B8000A9E)

WerFault.exe (PID: 4724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 228 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LNTi2c9njT.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: LNTi2c9njT.exe	ReversingLabs: Detection: 76%
Source: LNTi2c9njT.exe	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for sample

Source: LNTi2c9njT.exe

Joe Sandbox ML: detected

Source: LNTi2c9njT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\LNTi2c9njT.exe

Code function: 0_2_0040A91A

0_2_0040A91A

Source: C:\Users\user\Desktop\LNTi2c9njT.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 228

Source: LNTi2c9njT.exe

Static PE information: No import functions for PE file found

Source: LNTi2c9njT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2352

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7426f5f4-0a75-4a1b-afd6-a59897ab2136

Jump to behavior

Source: C:\Users\user\Desktop\LNTi2c9njT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LNTi2c9njT.exe	ReversingLabs: Detection: 76%
Source: LNTi2c9njT.exe	Virustotal: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\LNTi2c9njT.exe "C:\Users\user\Desktop\LNTi2c9njT.exe"
Source: C:\Users\user\Desktop\LNTi2c9njT.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 228
Source: C:\Users\user\Desktop\LNTi2c9njT.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 252

Source: C:\Users\user\Desktop\LNTi2c9njT.exe

Section loaded: apphelp.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .qded

Source: LNTi2c9njT.exe	Static PE information: section name: .bkjyr
Source: LNTi2c9njT.exe	Static PE information: section name: .qded
Source: LNTi2c9njT.exe	Static PE information: section name: .mbkpez

Source: C:\Users\user\Desktop\LNTi2c9njT.exe	Code function: 0_2_0040015F push eax; iretd		0_2_00400172
Source: C:\Users\user\Desktop\LNTi2c9njT.exe	Code function: 0_2_00400125 push esp; ret		0_2_00400126

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LNTi2c9njT.exe

Process queried: DebugPort

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LNTi2c9njT.exe	76%	ReversingLabs	Win32.Trojan.Zeus
LNTi2c9njT.exe	70%	Virustotal		Browse
LNTi2c9njT.exe	100%	Avira	TR/Crypt.XPACK.Gen
LNTi2c9njT.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430677
Start date and time:	2024-04-24 02:41:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LNTi2c9njT.exe renamed because original name is a hash value
Original Sample Name:	051e19c60f16f4a60e81a624b8000a9e.bin.exe
Detection:	MAL
Classification:	mal60.winEXE@3/9@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LNTi2c9njT.exe, PID 2352 because there are no executed function

Simulations

Behavior and APIs

Time	Type	Description
02:42:09	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LNTi2c9njT.exe_ba2ca29b8f46d8a701a6c71902b27c07b2f2d_5591770a_d54de3a9-c64f-4b8a-997c-278d3efc8b9a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6329849325617276
Encrypted:	false
SSDEEP:	96:zCFNARmX8sahAg71fuQXIDcQvc6QcEVcw3cE/n+HbHg6ZAX/d5FMT2SlPkpXmTAA:GuA8v0BU/gjEzuiFMZ24IO8b
MD5:	7090020A13FE75F24E382535FD364C4D
SHA1:	EF82C735ED870E59966E7964FEEA952F57D942B3
SHA-256:	CB1B683D1EF59D44386322451759336D3905BA5B73F92F2541B1872757EA5446
SHA-512:	DF88CAC2714BD618AE58F7042B13A586652E376F5F050B7F6DAE77633B9093B824BB14A2672C7B8F5F81EB39C11E1763C23DE07C5C237728505B76D1C4F25314
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.9.2.9.1.2.7.8.1.5.6.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.9.2.9.1.3.0.1.5.9.3.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.4.d.e.3.a.9.-.c.6.4.f.-.4.b.8.a.-.9.9.7.c.-.2.7.8.d.3.e.f.c.8.b.9.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.5.2.7.5.3.a.-.0.e.1.3.-.4.5.8.a.-.b.8.3.e.-.4.c.7.3.d.c.5.1.c.a.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.N.T.i.2.c.9.n.j.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.3.0.-.0.0.0.1.-.0.0.1.4.-.7.d.9.7.-.d.a.3.2.e.0.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.a.0.0.6.5.1.d.b.a.5.b.7.d.9.3.f.c.1.f.5.f.d.2.c.0.f.f.d.f.0.0.0.0.f.f.f.f.!.0.0.0.0.a.b.6.8.8.1.4.5.2.5.4.4.6.8.4.f.d.d.7.8.2.6.2.0.9.e.a.3.a.d.4.0.7.c.f.8.c.e.6.c.!.L.N.T.i.2.c.9.n.j.T...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LNTi2c9njT.exe_f9d7df2859891c9163159962fc106b1832c35c77_5591770a_94806dc9-d330-4e87-a959-d85ca9135180\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6291180702346132
Encrypted:	false
SSDEEP:	96:cZ/NXnsahAg79iSZQXIDcQzc645cocE1cw345cR+HbHg6ZAX/d5FMT2SlPkpXmT6:6/FnI0tM/ijEzuiFMZ24IO8u
MD5:	7D2B3A15A2F631DE25FAD5C358A3AD3D
SHA1:	A020CD272B2ACA6E349028BF5200EF8346D07DD1
SHA-256:	A5205A968CC8DDB05B72C7501FE0296B62177DD148D9FBEE3D705881DEF7834C
SHA-512:	313B8AE366B9C9CA7152589C36826E8BF5957D63BCB96535BB7830EF39C9C93D509C381746407A0AC74B7B13E1CFAC76B8A9D94A149408D1364FEDA5D9B0E487
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.9.2.9.1.2.2.5.6.9.3.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.8.0.6.d.c.9.-.d.3.3.0.-.4.e.8.7.-.a.9.5.9.-.d.8.5.c.a.9.1.3.5.1.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.4.8.9.7.3.1.-.0.6.4.1.-.4.3.6.d.-.9.a.1.2.-.5.b.5.c.c.8.7.6.9.d.e.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.N.T.i.2.c.9.n.j.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.3.0.-.0.0.0.1.-.0.0.1.4.-.7.d.9.7.-.d.a.3.2.e.0.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.a.0.0.6.5.1.d.b.a.5.b.7.d.9.3.f.c.1.f.5.f.d.2.c.0.f.f.d.f.0.0.0.0.f.f.f.f.!.0.0.0.0.a.b.6.8.8.1.4.5.2.5.4.4.6.8.4.f.d.d.7.8.2.6.2.0.9.e.a.3.a.d.4.0.7.c.f.8.c.e.6.c.!.L.N.T.i.2.c.9.n.j.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.0././.0.5././.1.4.:.0.2.:.5.4.:.3.2.!.0.!.L.N.T.i.2.c.9.n.j.T...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAED5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 24 00:41:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18036
Entropy (8bit):	1.938124635835719
Encrypted:	false
SSDEEP:	96:5C8YjE3yN5PfTA1Mdi7nURkx5gf4JAuSxuDtWIkWIcaPIQTZVOx4:z8sCOSfcgxuDeTZVOx4
MD5:	1717F514D9EF92363A84DBBD1F95BDC5
SHA1:	4060C685DB0FCF0B6CFC4A2704E2F235A1920119
SHA-256:	4B0F0A62B31D27B512761E02563F4511977CC4BAD0B5FF36C64179E2549F2B4A
SHA-512:	2AF82D908B25485C74C1C30DBC5E9795D8E402361C4BAF053E08DB63427E9ABA1F4A6439128A667A99C6683B14AB835D42D5682F0FCE4BC53B1A45826712CB40
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......PU(f............4...............<.......d...............T.......8...........T...........p....=......................................................................................................eJ......L.......GenuineIntel............T.......0...OU(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF34.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.69482005777075
Encrypted:	false
SSDEEP:	192:R6l7wVeJ496b36YEI5SUTDHFgmfivpNO89bG81f9/ECm:R6lXJ66b36YEGSUTDHFgmfiTGGflA
MD5:	6D0F1BD6095E3D96447583661E7274B9
SHA1:	E40A1AAE198D6A988C119BE69B160A2BF48155D0
SHA-256:	D056CA3D1C4D7BA0E70F4F7A8229DC03E0E54C0F451FAFC8FA62836B5D6ECB25
SHA-512:	F10264A8DA8A3B49524378D12CA290D9EFA1F43D1F9592C33C888C020B4862F4D453704874FDD9F211447266514E0D7A0BC91FE698B27C66CEA3564310D70386
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF64.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	4.456267476468671
Encrypted:	false
SSDEEP:	48:cvIwWl8zswJg77aI9wjWpW8VYIoYm8M4JbhFnZh+q8vzj+s37Hd:uIjf2I7aS7VxJXPKnL37Hd
MD5:	CBEDB118E1C609C5E550C7C0D2888055
SHA1:	666F1721FC74A4F0294FA42DC7B899745D3B1752
SHA-256:	D71A44835406010C27E5AF8C00FE836F310500E392DE437187123D127D5B6070
SHA-512:	2DF4298A5C301972C19B0E423FFB89855ECBD1AB12DE3D8C4E2E15D8CDF4C89004D7F9BA011A71CAD9B5AADD3691D221027DCB47B47AF403E8A0A44F3324F727
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293264" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0D9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 24 00:41:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18760
Entropy (8bit):	2.0101209866874186
Encrypted:	false
SSDEEP:	96:5C8CjE3ON5P7gMdi7nUYx5gf4bAxcH9g0MytWIkWI/aPI4T8uN5y:zSVOYfeeAq0l7T8c5y
MD5:	9D18786615569521D36C60FAB974BF1A
SHA1:	55FEB5AF4508023183E7A66905B68A1834C58CA8
SHA-256:	AD5FBEE6D8289F7B2F083B49106EF715C4273091023B8277E6E253088B8AE8F5
SHA-512:	73EAD4ED1703FAD90D19BC3E5A3D354F46AB2D72E4E1D28B5A5279F771593F9AF34716EE86F86E7954846AF61B8D512DEDE268322178CA5E7DAAB8AB37341058
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......PU(f............4...............<.......d...............T.......8...........T................?......................................................................................................eJ......L.......GenuineIntel............T.......0...OU(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB109.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.6979805093653444
Encrypted:	false
SSDEEP:	192:R6l7wVeJ496bO16YEItSUTDHFgmfFdprv89bGcsf/uCm:R6lXJ66bO16YESSUTDHFgmfFwGvf/i
MD5:	B00003F0FD658702CC14E89DC3AB9A31
SHA1:	419D9ABB0AA65F7686484C7D5785E92862D483B2
SHA-256:	86F9DD00152F3FFA04BBD3B84220B4ACFE6C37A1B3911FAEF40F0A14FD74156E
SHA-512:	61F32DB6F20468A95DE5B99CAFBD9B9831D03C10C8995A3071C687455A5B4939188DD457C10EBE7CD5398DCB2909BFD330C3E1405DB5905AD8AF012F66B3F964
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB129.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.469941032416948
Encrypted:	false
SSDEEP:	48:cvIwWl8zswJg77aI9wjWpW8VYIqYm8M4Jb2F0+q8EL+s372d:uIjf2I7aS7VHJ3pL372d
MD5:	3242FA702C743AC6D263686F887F1F4D
SHA1:	134E1C436F23D329CD1F6DC8613DA3984570642D
SHA-256:	737B98050A96F86E114DEF1ACD40ABE9F43C7AFB53E796E3F4920CB80921F915
SHA-512:	92F328C13CC6FAD6269036F857B8F5227AEF3DCC79205254A6756AAEBB99C4A58055DBD0F736B016AF512A891C48E33BFB85E92DC07FA431312C4FA15388C1AB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293264" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421553108778493
Encrypted:	false
SSDEEP:	6144:0Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNz0uhiTw:/vloTMW+EZMM6DFyp03w
MD5:	70823D37BCD078EA35A35DE074CD08D3
SHA1:	5F0D5DD595BB6D520FDD467BC67F204E43245559
SHA-256:	BCD8F2D16ACEE70B6D9BB986E122C6A7B5DB1B7E144E2CA91115954FCCC9B9CB
SHA-512:	11682011809EE56872F0C03A6B3441E2C9E1BF3D63D25962DA80FDE8F52B422857FA02F375595A01FF220648FB3C3B029DED263C073A7CE1E10A2804BCF842C5
Malicious:	false
Reputation:	low
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...3.................................................................................................................................................................................................................................................................................................................................................D..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.767305042787785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% Targa bitmap (Original TGA Format) (7/2) 0.00%
File name:	LNTi2c9njT.exe
File size:	50'688 bytes
MD5:	051e19c60f16f4a60e81a624b8000a9e
SHA1:	ab6881452544684fdd7826209ea3ad407cf8ce6c
SHA256:	860b10d5f6ed534bff3a8097a8fe08a5914e6b20631d9ee11cc05eb606324826
SHA512:	446c844760700bfc3e218db97b03a1f035b898b4e61c1967b874327e8017d788d598b368bdcb8b7868ea3d2501f25840ddc826b83dedf94ba4bb174c77a80f72
SSDEEP:	1536:dXWvuUkqQIs8blBcEn2K26OfJ1G1NNLHzNFv9I9:WNtblGjPU1NBHRFv9i
TLSH:	7D338E8675D1DFF3D92E80312196BBB64FBAF8310925AC5793200BCA7952192862FF47
File Content Preview:	MZ..........................................................t.......nz10A....'..`...`............'..........^}f}(@..U.K.S.MS9.?\1_,.4^}f}(@.._.RKP.............................................$.'..........!\...0/2)D......1,;.....9..6.h.*A..^..O.I...-8.zQ.[

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x411310
Entrypoint Section:	.qded
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x391E1568 [Sun May 14 02:54:32 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
loopne 00007F37A8C01B23h
inc eax
add byte ptr [eax], dl
sbb eax, 10480041h
inc ecx
add byte ptr [eax], ch
push ds
or al, 00h
rcl byte ptr [ecx], 1
inc eax
add byte ptr [eax-5FFFBEE4h], bl
adc dword ptr [ecx+00h], eax
test al, 24h
or al, 00h
les edx, fword ptr [ecx]
inc eax
add byte ptr [eax-0FFFBEE3h], ch
adc dword ptr [ecx+00h], eax
add byte ptr [11B4000Ch], ah
inc eax
add byte ptr [eax], ah
sbb al, 41h
add byte ptr [eax-77FFBEF0h], dh
and eax, 11A8000Ch
inc eax
add byte ptr [eax+6800411Bh], cl
adc al, byte ptr [ecx+00h]
or byte ptr [edi], ah
or al, 00h
cwde
adc dword ptr [eax+00h], eax
xor byte ptr [12F40041h], bl
inc ecx
add byte ptr [eax+00000C27h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax+01h], al
add dword ptr [ecx+edi*2+00450040h], ecx
add dword ptr [ecx], eax
test al, 79h
inc eax
add byte ptr [edx+00h], al
add dword ptr [ecx], eax
enter 4079h, 00h
inc ebx
add byte ptr [ecx], al
add esp, esp
jns 00007F37A8C01B52h
add byte ptr [esi+00h], ah
add byte ptr [eax], al
add al, 7Ah
inc eax
add byte ptr [edi+00h], ah
add byte ptr [eax], al
add al, 7Ah
inc eax
add byte ptr [ebp+00h], ah
add dword ptr [ecx], eax
xor byte ptr [edx+40h], bh
add byte ptr [edi], bh
add byte ptr [eax], al
add cl, ch
jp 00007F37A8C01B52h
add byte ptr [ebx], bh
add byte ptr [eax], al
add byte ptr [edi], cl
jnp 00007F37A8C01B52h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13000	0x1338	.mbkpez
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.bkjyr	0x1000	0xf4d1	0x9c00	958538d64a7d301194b0c44ff9e104fc	False	0.639823717948718	data	6.743813643611704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qded	0x11000	0x1470	0x800	93f67463907dc93d89f34cb19168208b	False	0.41650390625	data	3.8764367908914776	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.mbkpez	0x13000	0x14000	0x1e00	5cfc06dd550d1aac8f07e8cd8f464cb4	False	0.6805989583333333	data	6.436615984271382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: LNTi2c9njT.exePID: 2352, Parent PID: 1028

General

Target ID:	0
Start time:	02:41:51
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\LNTi2c9njT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LNTi2c9njT.exe"
Imagebase:	0x400000
File size:	50'688 bytes
MD5 hash:	051E19C60F16F4A60E81A624B8000A9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4724, Parent PID: 2352

General

Target ID:	3
Start time:	02:41:52
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 228
Imagebase:	0xb30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4564, Parent PID: 2352

General

Target ID:	6
Start time:	02:41:52
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 252
Imagebase:	0xb30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: LNTi2c9njT.exePID: 2352, Parent PID: 1028COMMON

Non-executed Functions

Function 0040A91A Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2161313928.0000000000400000.00000002.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2161336311.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2161358661.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LNTi2c9njT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
Instruction ID: fc6b1c53a0142d53ce8fa4faa6ac3bf358e09cf6d84163a40adb15513231d7ba
Opcode Fuzzy Hash: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
Instruction Fuzzy Hash: D181C532E0562ADBDF14CE68C5406ADB7B1EB85324F1642AADD527B3C1C334AD91CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 00408E59 Relevance: 15.4, Strings: 12, Instructions: 416COMMON

Download Yara Rule

Strings

*keep-alive*, xrefs: 00408FF2
http://, xrefs: 00408F05
P, xrefs: 00408F47
Connection: close, xrefs: 004092CB
Connection: , xrefs: 00408FD7
Content-Length: , xrefs: 00409065, 00409265
/, xrefs: 00408EF6
CONNECT , xrefs: 00408EC2
Proxy-, xrefs: 0040900D
HTTP/1.0 200 Connection established, xrefs: 004091DC
Proxy-Connection: , xrefs: 00408FB6
Host: , xrefs: 00409030

Memory Dump Source

Source File: 00000000.00000002.2161313928.0000000000400000.00000002.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2161336311.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2161358661.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LNTi2c9njT.jbxd

Similarity

API ID:
String ID: *keep-alive*$/$CONNECT $Connection: $Connection: close$Content-Length: $HTTP/1.0 200 Connection established$Host: $P$Proxy-$Proxy-Connection: $http://
API String ID: 0-737691513
Opcode ID: 698d137080ba02ccb9cccdc6070b53124ae9485514747d9d3cc63f13aa205724
Instruction ID: bb13522f084bb923655411c1ad9593ff2012410c5097fd00fc1f1a6e4451f9ce
Opcode Fuzzy Hash: 698d137080ba02ccb9cccdc6070b53124ae9485514747d9d3cc63f13aa205724
Instruction Fuzzy Hash: AAD1F071A04306BAEF206B759C4AFAF7AA9AF41314F10447BF601B52E3EB7D8D408759

Uniqueness

Uniqueness Score: -1.00%

Function 00409AC4 Relevance: 8.9, Strings: 7, Instructions: 176COMMON

Download Yara Rule

Strings

&pr=, xrefs: 00409C55
&n=, xrefs: 00409B38
&lcp=, xrefs: 00409C1F
&sp=, xrefs: 00409BE6
&i=, xrefs: 00409B7B
&s=, xrefs: 00409BBF
&v=, xrefs: 00409B4A

Memory Dump Source

Source File: 00000000.00000002.2161313928.0000000000400000.00000002.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2161336311.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2161358661.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LNTi2c9njT.jbxd

Similarity

API ID:
String ID: &i=$&lcp=$&n=$&pr=$&s=$&sp=$&v=
API String ID: 0-1780237566
Opcode ID: 84f4ac7bcb056f0d8930e4c5fcb93fb568359f6ee0b89a8607adfddcedc8f146
Instruction ID: 996a13dee669c886b2ffb44fd7cc0925359650ffb919b3eceeb92c76414f077c
Opcode Fuzzy Hash: 84f4ac7bcb056f0d8930e4c5fcb93fb568359f6ee0b89a8607adfddcedc8f146
Instruction Fuzzy Hash: B45190B28403557BDB01AFB99C46EFF37ACAB45704F08443AFA10F31A1EA799514877A

Uniqueness

Uniqueness Score: -1.00%

Function 00404146 Relevance: 8.9, Strings: 7, Instructions: 148COMMON

Download Yara Rule

Strings

pubring=, xrefs: 0040420D
login: %spassword: %s, xrefs: 004042B3
quik\login.txt, xrefs: 004042CC
secring=, xrefs: 00404220
quik\pubring.txk, xrefs: 00404281
qrypto.cfg, xrefs: 00404190
quik\secring.txk, xrefs: 00404294

Memory Dump Source

Source File: 00000000.00000002.2161313928.0000000000400000.00000002.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2161336311.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2161358661.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LNTi2c9njT.jbxd

Similarity

API ID:
String ID: login: %spassword: %s$pubring=$qrypto.cfg$quik\login.txt$quik\pubring.txk$quik\secring.txk$secring=
API String ID: 0-2831224199
Opcode ID: 7cdd71eac5871208c56fc59784c37dd3e796d39d269f893b2605d5b412d64fef
Instruction ID: ea94911564e842b23d2d903afa15cf277341123954fda82661bf012b5cbc1ab7
Opcode Fuzzy Hash: 7cdd71eac5871208c56fc59784c37dd3e796d39d269f893b2605d5b412d64fef
Instruction Fuzzy Hash: 9E5183B1A00209EBCF10AFA5DC45AEE77B8AF44304F1441BBF640B21E0D7385A54CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404CED Relevance: 5.3, Strings: 4, Instructions: 340COMMON

Download Yara Rule

Strings

pstorec.dll, xrefs: 00404CFB
Z%a, xrefs: 00404D82, 00404D85
IE Cookies:, xrefs: 00405005
PStoreCreateInstance, xrefs: 00404CF6

Memory Dump Source

Source File: 00000000.00000002.2161313928.0000000000400000.00000002.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2161336311.0000000000411000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2161358661.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LNTi2c9njT.jbxd

Similarity

API ID:
String ID: IE Cookies:$PStoreCreateInstance$Z%a$pstorec.dll
API String ID: 0-471104514
Opcode ID: 004bdf251eccd7c19653b9ed30ede2331283f43840bf7f6879ca2a0442a13aad
Instruction ID: 6a7cbb800f284ac3039b943023734149d70441609c3f73e8980f078a3784cb7b
Opcode Fuzzy Hash: 004bdf251eccd7c19653b9ed30ede2331283f43840bf7f6879ca2a0442a13aad
Instruction Fuzzy Hash: 94C130B1D00209AFDB11DF94C884EEEBBB9FF88304F14846AE605B7291D7399E45CB65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LNTi2c9njT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LNTi2c9njT.exe_ba2ca29b8f46d8a701a6c71902b27c07b2f2d_5591770a_d54de3a9-c64f-4b8a-997c-278d3efc8b9a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LNTi2c9njT.exe_f9d7df2859891c9163159962fc106b1832c35c77_5591770a_94806dc9-d330-4e87-a959-d85ca9135180\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAED5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF34.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF64.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0D9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB109.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB129.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: LNTi2c9njT.exePID: 2352, Parent PID: 1028

General

Windows Analysis Report
LNTi2c9njT.exe