Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FNLJD8Q3.exe

Overview

General Information

Sample name:FNLJD8Q3.exe
Analysis ID:1639974
MD5:03448ca5ad0f02a391d177dad4b9073f
SHA1:bc8e48ecd27159d4285a8bd6d722af80164033b0
SHA256:91a6786843c5205e09e280322de4f921f897af72ba7585af9349116a0f28a7e1
Tags:exevidaruser-aachum
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
One or more processes crash
PE file contains sections with non-standard names

Classification

Process Tree

  • System is w10x64
  • FNLJD8Q3.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\FNLJD8Q3.exe" MD5: 03448CA5AD0F02A391D177DAD4B9073F)
    • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 6516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • WerFault.exe (PID: 8072 cmdline: C:\Windows\system32\WerFault.exe -u -p 6600 -s 80 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: FNLJD8Q3.exeVirustotal: Detection: 39%Perma Link
Source: FNLJD8Q3.exeReversingLabs: Detection: 38%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: FNLJD8Q3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE11D4 FindFirstFileExW,3_2_00007FF78CCE11D4
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE1358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00007FF78CCE1358
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 2.19.96.50
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.131
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.131
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: FNLJD8Q3.exe, 00000003.00000002.1307231315.00000290F694D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
Source: FNLJD8Q3.exe, 00000003.00000002.1307231315.00000290F694D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
Source: FNLJD8Q3.exe, 00000003.00000002.1307231315.00000290F694D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/g_etcontent
Source: FNLJD8Q3.exe, 00000003.00000002.1307231315.00000290F694D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE72EC3_2_00007FF78CCE72EC
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD51F03_2_00007FF78CCD51F0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD4DE03_2_00007FF78CCD4DE0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD5E003_2_00007FF78CCD5E00
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE11D43_2_00007FF78CCE11D4
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD01703_2_00007FF78CCD0170
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCCDD603_2_00007FF78CCCDD60
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCCD9203_2_00007FF78CCCD920
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCC6EE03_2_00007FF78CCC6EE0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCCF7103_2_00007FF78CCCF710
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE97083_2_00007FF78CCE9708
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCDA29C3_2_00007FF78CCDA29C
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCC3ED03_2_00007FF78CCC3ED0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD5AD03_2_00007FF78CCD5AD0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD4AD03_2_00007FF78CCD4AD0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCCC2C03_2_00007FF78CCCC2C0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE7A6C3_2_00007FF78CCE7A6C
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCC26403_2_00007FF78CCC2640
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCCD3F03_2_00007FF78CCCD3F0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD1BB03_2_00007FF78CCD1BB0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD1FA03_2_00007FF78CCD1FA0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCC2B703_2_00007FF78CCC2B70
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE13583_2_00007FF78CCE1358
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCC47903_2_00007FF78CCC4790
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCCBB403_2_00007FF78CCCBB40
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD08E03_2_00007FF78CCD08E0
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD40603_2_00007FF78CCD4060
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD78803_2_00007FF78CCD7880
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD24503_2_00007FF78CCD2450
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCCF4403_2_00007FF78CCCF440
Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6600 -s 80
Source: FNLJD8Q3.exeStatic PE information: Section: .bss ZLIB complexity 1.0003622159090908
Source: classification engineClassification label: mal52.winEXE@5/5@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6600
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\27168ef0-066e-4e4b-9a71-58f1f58f0d13Jump to behavior
Source: FNLJD8Q3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FNLJD8Q3.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: FNLJD8Q3.exeVirustotal: Detection: 39%
Source: FNLJD8Q3.exeReversingLabs: Detection: 38%
Source: C:\Users\user\Desktop\FNLJD8Q3.exeFile read: C:\Users\user\Desktop\FNLJD8Q3.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\FNLJD8Q3.exe "C:\Users\user\Desktop\FNLJD8Q3.exe"
Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6600 -s 80
Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
Source: C:\Users\user\Desktop\FNLJD8Q3.exeSection loaded: apphelp.dllJump to behavior
Source: FNLJD8Q3.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: FNLJD8Q3.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: FNLJD8Q3.exeStatic PE information: section name: .gxfg
Source: FNLJD8Q3.exeStatic PE information: section name: .retplne
Source: FNLJD8Q3.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE11D4 FindFirstFileExW,3_2_00007FF78CCE11D4
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE1358 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00007FF78CCE1358
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAMX
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCDAB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF78CCDAB04
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCDE2EC GetProcessHeap,3_2_00007FF78CCDE2EC
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD86F4 SetUnhandledExceptionFilter,3_2_00007FF78CCD86F4
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCDAB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF78CCDAB04
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD8704 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF78CCD8704
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD8088 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF78CCD8088
Source: C:\Users\user\Desktop\FNLJD8Q3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCE9520 cpuid 3_2_00007FF78CCE9520
Source: C:\Users\user\Desktop\FNLJD8Q3.exeCode function: 3_2_00007FF78CCD8570 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00007FF78CCD8570
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Software Packing		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		12
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639974 Sample: FNLJD8Q3.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 52 17 Multi AV Scanner detection for submitted file 2->17 19 Joe Sandbox ML detected suspicious sample 2->19 6 FNLJD8Q3.exe 1 2->6         started        process3 process4 8 WerFault.exe 22 16 6->8         started        11 conhost.exe 6->11         started        13 MSBuild.exe 6->13         started        file5 15 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->15 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.