Edit tour

Windows Analysis Report
OHkRFujs2m.exe

Overview

General Information

Sample name:	OHkRFujs2m.exe renamed because original name is a hash value
Original sample name:	e3df75b478f43b2bc1178c59351f131d.bin.exe
Analysis ID:	1430683
MD5:	e3df75b478f43b2bc1178c59351f131d
SHA1:	1a1292b2d9413b211b288f754eab30b38d31e3bf
SHA256:	d53bda0838a3db470a20a273d1effee7ef42bbc0a337fbb65eddfe079a5d0206
Tags:	exeprg
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Entry point lies outside standard sections

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

OHkRFujs2m.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\OHkRFujs2m.exe" MD5: E3DF75B478F43B2BC1178C59351F131D)

WerFault.exe (PID: 8 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OHkRFujs2m.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: OHkRFujs2m.exe	Virustotal: Detection: 81%			Perma Link
Source: OHkRFujs2m.exe	ReversingLabs: Detection: 89%

Machine Learning detection for sample

Source: OHkRFujs2m.exe

Joe Sandbox ML: detected

Source: OHkRFujs2m.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.208.16.94:443 -> 192.168.2.7:49712 version: TLS 1.2

Source: Joe Sandbox View

IP Address: 104.208.16.94 104.208.16.94

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94
Source: unknown	TCP traffic detected without corresponding DNS query: 104.208.16.94

Source: unknown

HTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket_Error: 0x80004004Content-Length: 4583Host: umwatson.events.data.microsoft.com

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 104.208.16.94:443 -> 192.168.2.7:49712 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: OHkRFujs2m.exe

Static PE information: section name: .data?

PE file has a writeable .text section

Source: OHkRFujs2m.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\OHkRFujs2m.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 232

Source: OHkRFujs2m.exe

Static PE information: No import functions for PE file found

Source: OHkRFujs2m.exe	Binary or memory string: OriginalFilename vs OHkRFujs2m.exe
Source: OHkRFujs2m.exe, 00000000.00000000.1195207871.0000000000424000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBXH7dT7FBB, vs OHkRFujs2m.exe
Source: OHkRFujs2m.exe	Binary or memory string: OriginalFilenameBXH7dT7FBB, vs OHkRFujs2m.exe

Source: OHkRFujs2m.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.winEXE@2/5@0/1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2a0a86e5-1e5f-4910-8bc8-091ba0277634

Jump to behavior

Source: C:\Users\user\Desktop\OHkRFujs2m.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OHkRFujs2m.exe	Virustotal: Detection: 81%
Source: OHkRFujs2m.exe	ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Users\user\Desktop\OHkRFujs2m.exe "C:\Users\user\Desktop\OHkRFujs2m.exe"
Source: C:\Users\user\Desktop\OHkRFujs2m.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 232

Source: C:\Users\user\Desktop\OHkRFujs2m.exe

Section loaded: apphelp.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: OHkRFujs2m.exe	Static PE information: section name: .data?
Source: OHkRFujs2m.exe	Static PE information: section name: .code
Source: OHkRFujs2m.exe	Static PE information: section name: .masm
Source: OHkRFujs2m.exe	Static PE information: section name: .

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\OHkRFujs2m.exe

Process queried: DebugPort

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OHkRFujs2m.exe	82%	Virustotal		Browse
OHkRFujs2m.exe	89%	ReversingLabs	Win32.Trojan.Zeus
OHkRFujs2m.exe	100%	Avira	TR/Crypt.XPACK.Gen
OHkRFujs2m.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.208.16.94	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430683
Start date and time:	2024-04-24 02:47:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OHkRFujs2m.exe renamed because original name is a hash value
Original Sample Name:	e3df75b478f43b2bc1178c59351f131d.bin.exe
Detection:	MAL
Classification:	mal68.winEXE@2/5@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target OHkRFujs2m.exe, PID 6552 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
02:48:05	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.208.16.94	bUWKfj04aU.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine	Browse
	8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe	Get hash	malicious	GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	bkBeWYmTn4.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, Vidar	Browse
	migrate.zip	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	ec9OT9NGgr.exe	Get hash	malicious	LummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, SmokeLoader	Browse
	s6npqYWxEC.exe	Get hash	malicious	Nymaim	Browse
	puttyy.cmd	Get hash	malicious	Remcos, RHADAMANTHYS	Browse
	https://downloads.sabrent.com/product/hb-b7c3-firmware-update	Get hash	malicious	Unknown	Browse
	sentencia.zip	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	13.107.213.69
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.69
	https://uqgekpc20qn1.azureedge.net/6466/	Get hash	malicious	TechSupportScam	Browse	13.107.213.69
	https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2w	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.89.178.26
	https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2w	Get hash	malicious	Unknown	Browse	13.107.136.10
	https://condoresorts.com/	Get hash	malicious	Unknown	Browse	13.107.246.69
	https://u44058082.ct.sendgrid.net/ls/click?upn=u001.wjMLvmoK1OC9dTKy5UL4VbqcIJmZWkGKJypB0ZF6j6rXk8HVnxe0g2af-2BenroUoONz6EEWthgE-2Bi2vVRUosKTZRVQ5v63hCdxrdKCztVooIv51imK8tr-2Bb3beAsH6u-2FNluJlUKmd7nST-2B9m-2Bl2Rgv4y6uHLimO0TjhZzZ-2F-2BDlllJQne3tT99z6x4W12pJpddTL-2BoJ2-2Bdo6961pFN3dV2Rg-3D-3DeWGT_h-2FW4DSvZGhKY-2FmU3Rq-2F3L-2FXo2OZSHdaVvlpgAgHQWDXPYB9CNYi-2FcvonFCbsEhjt9RP-2BQa7dTwbMJOOaP3JRnMW6mQAitl6qAb1EkaAR-2BmnZDE6Bi3ooqtCrrMW-2F3TPNMK3AVi1YKIdTOZivmUJGaXdrtbqCykfnTTkN9KMRy80rdRqf6LWUCYWGeeaXb-2BD6jokMbr-2FaJKvKMHDNWAfHyhaE6QO9pw7souFUseKb40g-3D	Get hash	malicious	HTMLPhisher	Browse	52.96.189.2
	zlONcFaXkc.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	23.101.168.44
	KxgGGaiW3E.exe	Get hash	malicious	Quasar	Browse	13.107.213.41
	EXTERNAL Bonnie St Dryden is inviting you to collaborate on One_docx(Apr 23) DOC3848493.msg	Get hash	malicious	HTMLPhisher	Browse	40.126.32.136

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.208.16.94
	z56NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	104.208.16.94
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	104.208.16.94
	Gam.xls	Get hash	malicious	Unknown	Browse	104.208.16.94
	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	104.208.16.94
	iPUk65i3yI.exe	Get hash	malicious	LummaC	Browse	104.208.16.94
	asbpKOngY0.exe	Get hash	malicious	LummaC	Browse	104.208.16.94
	VdwJB2cS5l.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.208.16.94
	https://www.epa.gov/climateleadership/simplified-ghg-emissions-calculator	Get hash	malicious	Unknown	Browse	104.208.16.94
	SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.208.16.94

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OHkRFujs2m.exe_ccc029e7440f42aaa9a3f96c2c528b459f2262_e7b9045b_0cdb27ff-1fd0-4065-a5fe-5b576051abb5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6350973369256793
Encrypted:	false
SSDEEP:	96:0GFjMPwvbiJcsuhnU7afiQXIDcQvc6QcEVcw3cE/9QQ+HbHg6ZAX/d5FMT2SlPky:7p0Qbccr0BU/YjEzuiFTZ24IO860
MD5:	EFE07320DCC938105FC7F37DE310A51A
SHA1:	8C52E13B6005359A553CDD70D2F41CC39A87DD90
SHA-256:	9BC5CB163DD6E024C979142A80EA2DDFB4EA54C2412414F65FEA9B62DE7D14FE
SHA-512:	D6DEE4FF85E9D3C3319537B20160B8278D38EC7924879D0EBD3ECD3FAF4BC612A62E50B75DEAC25C8C4F88E691E69FAF1C4BE60A99FF7DAE9F4A9D39034C6AFB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.9.3.2.7.3.1.4.7.2.5.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.9.3.2.7.3.4.9.0.9.9.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.d.b.2.7.f.f.-.1.f.d.0.-.4.0.6.5.-.a.5.f.e.-.5.b.5.7.6.0.5.1.a.b.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.b.5.5.a.e.6.-.5.b.6.4.-.4.7.4.3.-.8.f.0.8.-.4.d.5.5.b.9.9.f.2.8.2.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.H.k.R.F.u.j.s.2.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.8.-.0.0.0.1.-.0.0.1.4.-.d.0.e.4.-.e.6.0.9.e.1.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.d.a.1.d.8.a.0.d.1.c.0.9.e.4.5.3.1.3.4.0.8.c.f.b.2.2.8.3.5.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.1.a.1.2.9.2.b.2.d.9.4.1.3.b.2.1.1.b.2.8.8.f.7.5.4.e.a.b.3.0.b.3.8.d.3.1.e.3.b.f.!.O.H.k.R.F.u.j.s.2.m...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7ACB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 24 00:47:53 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	2.0606885663609606
Encrypted:	false
SSDEEP:	96:5W8gE3IfsWyI30dci7n3zl7D3uH6m+b+couWI9wIPmPI48pNImVjZ:rU46O3Z7rXm+8TuNImVjZ
MD5:	F13915D9D73D8F840A6FE5EBB3D24BFF
SHA1:	7E934BFCAC513B318BD57830AC205FDCED22AC5E
SHA-256:	09B5989EE7123A766BA7A27D8CC806AE9EBDC934EA4E6BA7F29686632C55DAC4
SHA-512:	854E7D0D08E5AC469B414C54C7422E0A833C98ABFC54095E871F4E20AB728D5AFDBCF2C6AC5738C23672AE37CB9C9E126A83A4B62AA34BF2D359CD64C0A94711
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........V(f............4...............<.......d...............T.......8...........T................?......................................................................................................eJ......L.......GenuineIntel............T............V(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B2A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.7023768524224763
Encrypted:	false
SSDEEP:	192:R6l7wVeJek6bEf6YNfSU9GgmfRdprw89bphsfoaDm:R6lXJF6bEf6Y1SU9GgmfRtpafon
MD5:	9940C53F763F4F95102B212C5E1AFDFE
SHA1:	CCAC50B9A5505EB0494DEC28A5B5D454A6A21EB4
SHA-256:	F893CF1B911BEF851853909B9141D556D619AC30372B87B80C2EBC164BC4ECA2
SHA-512:	57BB45890C6E61A8B970136C5BEB74CB261632FE5762971340D8DB5F4B29AA5DD6077FA535E226B327E5FE4ED35B25A842EB5BCBC23D5DE89FD19BA307893E2C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B5A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.4778169518704045
Encrypted:	false
SSDEEP:	48:cvIwWl8zstJg77aI9AGyWpW8VYgPYm8M4JC3F5e+q8mi+bL8S7d:uIjfHI7GC7VJSJlRbgS7d
MD5:	095E5A3A4084834D24CE7EA81A46C3C7
SHA1:	9920DBA9D5130229AC31B4CEBBABAF6411DF8888
SHA-256:	15F080B668CAD5E4907AADC3D2E5628732447DAB95A447C2CD35C5175F073C5B
SHA-512:	700179FA55769CDA1FAE2D004221F2AF2394A057700BC61D661BF56A67CE7A0E816B2BBDF28CFEE7EA1F92D632B8EE0C5719EED22A8BAF9F7182C42BD467FD7A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293270" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416673986609114
Encrypted:	false
SSDEEP:	6144:+cifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNa5+:Li58oSWIZBk2MM6AFBUo
MD5:	545F1199412240D0CC584E44A0AAFD68
SHA1:	273BE574242BE025961245D5212152CA6223D7BE
SHA-256:	08A4632DB1C990F4C91A1C71C96817E3CA72165FB26EBBF74AE7561542DD149A
SHA-512:	2773F8147EB7559B2BCFA37A51804E3692E73542E4A0CBEC6C7D20740C229C061342A2A6BFA763AC46553200F82B78BA8F731623AD2FB60D4C4DD335E960051D
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmb.#................................................................................................................................................................................................................................................................................................................................................%.5>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.542595019085764
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OHkRFujs2m.exe
File size:	52'736 bytes
MD5:	e3df75b478f43b2bc1178c59351f131d
SHA1:	1a1292b2d9413b211b288f754eab30b38d31e3bf
SHA256:	d53bda0838a3db470a20a273d1effee7ef42bbc0a337fbb65eddfe079a5d0206
SHA512:	e5c28fef2c8eb9edf55dc8f054645311872217c397c69cce2f52818f679238ee445ebf512344838a7e35b27c57e0aaff498e9a9c8743bc26a0b9360c5b264556
SSDEEP:	1536:Iv7qsuoozpxPK8nlcNjmBXBchp8kSCxPxf:9CgPJihTPxf
TLSH:	BF338D5236E0FD71D9634A7163657BFA63BFEC310D275E03836409891970CC38A67A6B
File Content Preview:	MZ......................@.....................................................6.........`....'......%.......^}f}(@.F.I.N.T.[.W._.`,.4h4.1p...w...^}f}(@.._.RKP.K.../:.\|S.]....$[...?...c....rqtk.5(O.9.sn}P.B..{V.x_..l.>.......&U.ozY.......!d.....PE..L.....[

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4250b6
Entrypoint Section:	.rdata
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x485BBA83 [Fri Jun 20 14:11:15 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 10h
cmp ebx, 00401826h
push FFFFFF8Dh
xor ebx, 00401102h
pop edx
xor edx, 00401FFFh
jnc 00007F492D19A57Ch
add ebx, ebx
add edx, 0040164Dh
xor eax, eax
xor edx, 00401081h
inc eax
push FFFFFFABh
test ebx, 00401FD7h
jp 00007F492D19A578h
test ebx, 00401DA2h
pop edx
push 000625CCh
pop edx
test eax, 00401B58h
sub ebx, 00402736h
jnp 00007F492D19A576h
xor ebx, ebx
cmp edx, eax
cmp edi, 00402C97h
jbe 00007F492D19A572h
cmp edx, 00401926h
push FFFFFF9Dh
add edx, 004019C2h
pop edi
inc edx
xor ebx, ebx
xor esi, esi
push 00062392h
cmp ebx, ebx
pop edx
xor ebx, 00401618h
jnc 00007F492D19A576h
sub eax, eax
xor edi, ebx
xor edi, 004023EAh
js 00007F492D19A574h
xor eax, edi
or edx, 004026E8h
jnle 00007F492D19A584h
test edx, 0040131Fh
cmp edi, 00401633h
add edi, 00401F40h
add edi, 0040284Eh
dec eax
and edi, 00401A74h
sub eax, ebx
add ebx, 00401D19h
je 00007F492D19A578h
test edi, 00401A8Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0x1208	.code
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.data?	0x1000	0xedf3	0x9c00	67481b1c18bad9f479fcee3065eaae88	False	0.6383463541666666	data	6.699114164571233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x10000	0x1887	0x800	1ede6b0a7c939f38ab19264912195a89	False	0.4111328125	data	3.7676938992264213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.code	0x12000	0x12000	0x1600	3c57595632d3d8aad432c5b3bb5f8b6f	False	0.7444957386363636	GLS_BINARY_LSB_FIRST	6.440391540549277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.masm	0x24000	0x1000	0x400	b741358bbeb1f4a0eb6944127cc8d432	False	0.3896484375	data	2.7129703497581117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x25000	0x56a	0x600	cefe6c1d31403b47ff8f3dffcc6c2af2	False	0.765625	data	6.307980323300387	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.	0x26000	0x297	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:48:06.320893049 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:06.320933104 CEST	443	49712	104.208.16.94	192.168.2.7
Apr 24, 2024 02:48:06.321019888 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:06.324605942 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:06.324634075 CEST	443	49712	104.208.16.94	192.168.2.7
Apr 24, 2024 02:48:06.942667007 CEST	443	49712	104.208.16.94	192.168.2.7
Apr 24, 2024 02:48:06.942774057 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:06.942806959 CEST	443	49712	104.208.16.94	192.168.2.7
Apr 24, 2024 02:48:06.942853928 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:06.949795008 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:06.949815035 CEST	443	49712	104.208.16.94	192.168.2.7
Apr 24, 2024 02:48:06.950249910 CEST	443	49712	104.208.16.94	192.168.2.7
Apr 24, 2024 02:48:06.996081114 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:07.004880905 CEST	49712	443	192.168.2.7	104.208.16.94
Apr 24, 2024 02:48:07.005682945 CEST	49712	443	192.168.2.7	104.208.16.94

HTTP Request Dependency Graph

umwatson.events.data.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49712	104.208.16.94	443	8	C:\Windows\SysWOW64\WerFault.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:48:07 UTC	178	OUT	POST /Telemetry.Request HTTP/1.1 Connection: Keep-Alive User-Agent: MSDW MSA_DeviceTicket_Error: 0x80004004 Content-Length: 4583 Host: umwatson.events.data.microsoft.com

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OHkRFujs2m.exePID: 6552, Parent PID: 4056

General

Target ID:	0
Start time:	02:47:52
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\OHkRFujs2m.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OHkRFujs2m.exe"
Imagebase:	0x400000
File size:	52'736 bytes
MD5 hash:	E3DF75B478F43B2BC1178C59351F131D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 8, Parent PID: 6552

General

Target ID:	4
Start time:	02:47:53
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 232
Imagebase:	0x580000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: OHkRFujs2m.exePID: 6552, Parent PID: 4056COMMON

Non-executed Functions

Function 00405D79 Relevance: 15.4, Strings: 12, Instructions: 416COMMON

Download Yara Rule

Strings

HTTP/1.0 200 Connection established, xrefs: 004060FC
Host: , xrefs: 00405F50
/, xrefs: 00405E16
CONNECT , xrefs: 00405DE2
Proxy-Connection: , xrefs: 00405ED6
Proxy-, xrefs: 00405F2D
Connection: close, xrefs: 004061EB
*keep-alive*, xrefs: 00405F12
http://, xrefs: 00405E25
Connection: , xrefs: 00405EF7
Content-Length: , xrefs: 00405F85, 00406185
P, xrefs: 00405E67

Memory Dump Source

Source File: 00000000.00000002.1328704406.0000000000401000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1328684780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328725032.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328746996.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328770502.0000000000424000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328790862.0000000000425000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OHkRFujs2m.jbxd

Similarity

API ID:
String ID: *keep-alive*$/$CONNECT $Connection: $Connection: close$Content-Length: $HTTP/1.0 200 Connection established$Host: $P$Proxy-$Proxy-Connection: $http://
API String ID: 0-737691513
Opcode ID: 60b095789325c6a064d57f8d3c7c15de7911d119163d8105c2305f46c44acf34
Instruction ID: bac61f6994488447091a9de85ebcbe9b49678fad351c487c84841ef50383c471
Opcode Fuzzy Hash: 60b095789325c6a064d57f8d3c7c15de7911d119163d8105c2305f46c44acf34
Instruction Fuzzy Hash: 60D14371A44306BAEB20AB64CC4AFAF7EA9DF05304F10453BF605B52E2E77D89508B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405847 Relevance: 7.8, Strings: 6, Instructions: 340COMMON

Download Yara Rule

Strings

PStoreCreateInstance, xrefs: 00405850
Z%a, xrefs: 004058DC, 004058DF
vE@, xrefs: 00405A94, 00405A85, 00405A9C, 00405A8D
IE Cookies:, xrefs: 00405B5F
vE@, xrefs: 00405958, 0040599E, 00405A69, 00405A6F, 00405A76, 004059F9, 004059B5, 0040595B, 004059DA
pstorec.dll, xrefs: 00405855

Memory Dump Source

Source File: 00000000.00000002.1328704406.0000000000401000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1328684780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328725032.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328746996.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328770502.0000000000424000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328790862.0000000000425000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OHkRFujs2m.jbxd

Similarity

API ID:
String ID: IE Cookies:$PStoreCreateInstance$Z%a$pstorec.dll$vE@$vE@
API String ID: 0-1082442805
Opcode ID: a0b5fe7a7c450f4976f7076c09e2c05382c7cb92ff7ea5e19cfd7459f1d10eb2
Instruction ID: b7194221d7dccc58e23e834469b20d732f4e83b672a11d8ab1181681f1f7620a
Opcode Fuzzy Hash: a0b5fe7a7c450f4976f7076c09e2c05382c7cb92ff7ea5e19cfd7459f1d10eb2
Instruction Fuzzy Hash: 9BC14AB1E00609EFDB11DF94C884AEFBBB9EF48304F14856AE501B7291D639AE45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00404485 Relevance: 6.4, Strings: 5, Instructions: 199COMMON

Download Yara Rule

Strings

GetProcAddress, xrefs: 004044C2
software\microsoft\internet explorer\main, xrefs: 00404603
LoadLibraryA, xrefs: 004044AD
Start Page, xrefs: 004045FE
rsldps, xrefs: 00404537

Memory Dump Source

Source File: 00000000.00000002.1328704406.0000000000401000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1328684780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328725032.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328746996.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328770502.0000000000424000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328790862.0000000000425000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OHkRFujs2m.jbxd

Similarity

API ID:
String ID: GetProcAddress$LoadLibraryA$Start Page$rsldps$software\microsoft\internet explorer\main
API String ID: 0-2928055629
Opcode ID: c65f9a841f0887d6640ad66881c0b4714c1e504f279f5cf6873a2e585bdef50c
Instruction ID: f815b0c150b0a6d1cce2bb7f630ab607f262a58a3c19a027c8e5d43cf20b480c
Opcode Fuzzy Hash: c65f9a841f0887d6640ad66881c0b4714c1e504f279f5cf6873a2e585bdef50c
Instruction Fuzzy Hash: C851B6B1C00114BBDB10BBA69C82DAF7BACEF45314F14457BFA05B22D2E73D59508AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00407CF8 Relevance: 5.2, Strings: 4, Instructions: 203COMMON

Download Yara Rule

Strings

*<option selected, xrefs: 00407DD2
*<select , xrefs: 00407D97
*<input *value=", xrefs: 00407E4C
/, xrefs: 00407D25

Memory Dump Source

Source File: 00000000.00000002.1328704406.0000000000401000.00000008.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1328684780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328725032.0000000000410000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328746996.0000000000412000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328770502.0000000000424000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1328790862.0000000000425000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OHkRFujs2m.jbxd

Similarity

API ID:
String ID: *<input *value="$*<option selected$*<select $/
API String ID: 0-2404899240
Opcode ID: 2f91c98476d8f1a1feb8aca0bed17b1edde65172b77543efff70379a10f0947e
Instruction ID: 1feefbfd5e79bb697a8e047d866629bcff2da6c8e0f2db86948648c6f09b3f78
Opcode Fuzzy Hash: 2f91c98476d8f1a1feb8aca0bed17b1edde65172b77543efff70379a10f0947e
Instruction Fuzzy Hash: 49611172D0810AAFDF118B94CC85FEE7B78EF44304F1444BAE600B72D1DA786D858BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OHkRFujs2m.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OHkRFujs2m.exe_ccc029e7440f42aaa9a3f96c2c528b459f2262_e7b9045b_0cdb27ff-1fd0-4065-a5fe-5b576051abb5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7ACB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B2A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B5A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: OHkRFujs2m.exePID: 6552, Parent PID: 4056

Windows Analysis Report
OHkRFujs2m.exe