Play interactive tour

Edit tour

Analysis Report executable.4420.exe

Overview

General Information

Sample Name:	executable.4420.exe
Analysis ID:	356831
MD5:	6192cfbe8e44360f7c0b6f696206f41d
SHA1:	166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256:	8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to upload files via FTP

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

System is w10x64

executable.4420.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\executable.4420.exe' MD5: 6192CFBE8E44360F7C0B6F696206F41D)

WerFault.exe (PID: 5856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: executable.4420.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: executable.4420.exe

ReversingLabs: Detection: 74%

Machine Learning detection for sample

Show sources

Source: executable.4420.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: executable.4420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Show sources

Source:	Binary string: shcore.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb> source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbC source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdbO source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb+ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: mfc42.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdbI source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdbU source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb{ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb[ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb7 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: msvcp60.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: mfc42.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb1 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,

Networking:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0041B588 __EH_prolog,InternetGetConnectedState,#1199,GetDlgItem,EnableWindow,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemInt,lstrcpyA,IsDlgButtonChecked,InternetOpenA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetConnectA,#1199,GetDlgItem,EnableWindow,FtpSetCurrentDirectoryA,lstrcpyA,FtpCreateDirectoryA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,CreateFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,WriteFile,CloseHandle,CloseHandle,FtpPutFileA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileA,GetDlgItem,EnableWindow,#1199,#800,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004276F1 __EH_prolog,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,GetUserNameA,#3811,#537,#537,#924,#922,#922,#800,#800,#800,#800,#537,#537,#926,#922,FtpPutFileA,#800,#800,#800,#800,DeleteFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#800,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,

Source: WerFault.exe, 00000004.00000003.682815138.0000000004ED6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/downloads.html
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/orderbpk.html_This
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/update.tmpupdates/bpk.dat

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428E0F IsWindow,IsWindowUnicode,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,#823,WideCharToMultiByte,#860,#825,#860,GlobalUnlock,CloseClipboard,

Source: C:\Users\user\Desktop\executable.4420.exe

System Summary:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: String function: 0043E4E0 appears 241 times
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: String function: 0043DE26 appears 82 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664

Source: executable.4420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal60.winEXE@2/4@0/0

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0041C947 GetLastError,FormatMessageA,MessageBoxA,LocalFree,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_004288B3 CreateToolhelp32Snapshot,Module32First,Module32Next,memcpy,CloseHandle,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00429112 CoCreateInstance,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042980F #1168,FindResourceA,#1168,SizeofResource,LoadResource,LockResource,#537,#538,

Source: C:\Users\user\Desktop\executable.4420.exe

File created: C:\Users\user\AppData\Roaming\BPK\

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5865.tmp

Jump to behavior

Source: executable.4420.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\executable.4420.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: executable.4420.exe

ReversingLabs: Detection: 74%

Source: unknown	Process created: C:\Users\user\Desktop\executable.4420.exe 'C:\Users\user\Desktop\executable.4420.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664

Source:	Binary string: shcore.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb> source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbC source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb= source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdbO source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb+ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: mfc42.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdbI source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdbU source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb{ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb[ source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb7 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: msvcp60.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: mfc42.pdbk source: WerFault.exe, 00000004.00000003.666086995.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb1 source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.666073263.000000000512F000.00000004.00000001.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 00000004.00000003.666092251.00000000052A7000.00000004.00000040.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0043E4E0 push eax; ret
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0043E690 push eax; ret

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\executable.4420.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 0005h and CTI: jbe 0042AB3Fh
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0014h and CTI: jbe 0042AB4Ch

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,

Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000004.00000002.685584401.0000000004EE7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000004.00000003.683034880.0000000004EA8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW^
Source: WerFault.exe, 00000004.00000003.672880218.0000000004EE7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll73
Source: WerFault.exe, 00000004.00000002.685643995.0000000004F30000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042AAFA CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428A6B GetVersionExA,

Remote Access Functionality:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00410C1A strlen,memset,htons,inet_addr,gethostbyname,bind,memset,htons,inet_addr,gethostbyname,WSASetLastError,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	System Time Discovery11	Remote Services	Clipboard Data2	Exfiltration Over Alternative Protocol1	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
executable.4420.exe	74%	ReversingLabs	Win32.Spyware.Perfect
executable.4420.exe	100%	Avira	HEUR/AGEN.1112545
executable.4420.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.executable.4420.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112545		Download File
0.0.executable.4420.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112545		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.blazingtools.com/update.tmpupdates/bpk.dat	0%	Avira URL Cloud	safe
http://www.blazingtools.com/orderbpk.html_This	0%	Avira URL Cloud	safe
http://www.blazingtools.com/downloads.html	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://www.blazingtools.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.blazingtools.com/update.tmpupdates/bpk.dat	executable.4420.exe	false	Avira URL Cloud: safe	unknown
http://www.blazingtools.com/orderbpk.html_This	executable.4420.exe	false	Avira URL Cloud: safe	unknown
http://www.blazingtools.com/downloads.html	executable.4420.exe	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	WerFault.exe, 00000004.00000003.682815138.0000000004ED6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.blazingtools.com/	executable.4420.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356831
Start date:	23.02.2021
Start time:	17:32:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	executable.4420.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 90.1%) Quality average: 71.8% Quality standard deviation: 31.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.113.196.254, 13.107.3.254, 168.61.161.212, 13.107.246.254, 23.211.6.115, 52.147.198.201, 104.43.139.144, 13.64.90.137, 51.104.139.180, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 8.248.121.254, 8.253.204.249, 8.248.143.254, 8.248.135.254, 8.248.119.254, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

Time	Type	Description
17:33:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.4420._c4d235e04f7d67dd8b9808a243ef65182404b_dc10a768_1685813a\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11726
Entropy (8bit):	3.769916385992574
Encrypted:	false
SSDEEP:	192:tJknh75BgH/UJuLVe7jBrPAz/u7sWS274ItMP1F:bMw/UJuLcjKz/u7sWX4It0F
MD5:	0C01155023A36D9E2DAB66E877103554
SHA1:	489051F8E0DB7A7AE8F00A4E4DCC53BF37E929F0
SHA-256:	D267EC28890985E2A14E447F22A79DDC147396886D78F9BEE3F72649BBF500FB
SHA-512:	9AA05053FF62920D4F2732F48FC5D7467B48A16C18FB8C5B19D0C3DD10A593C7DA1F459B57748ACB60EC9D37F7401A902A82CDA937CF8DC9D1DCA4D8269B545E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.7.1.5.8.4.6.7.0.9.8.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.7.1.5.8.9.9.3.6.5.8.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.8.f.0.4.6.0.-.3.5.8.3.-.4.b.3.7.-.9.f.3.9.-.8.6.3.4.b.6.2.8.c.3.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.4.4.7.3.3.0.-.1.2.9.a.-.4.7.f.a.-.b.6.f.2.-.7.4.a.e.f.4.0.2.8.8.c.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.x.e.c.u.t.a.b.l.e...4.4.2.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.8.-.0.0.0.1.-.0.0.1.b.-.f.a.c.f.-.b.1.8.c.0.1.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.b.e.2.9.9.c.7.9.9.4.b.9.5.3.7.7.c.d.6.2.c.1.5.c.1.9.9.9.1.9.0.0.0.0.f.f.f.f.!.0.0.0.0.1.6.6.8.8.6.0.6.6.f.f.a.b.b.7.6.f.6.b.7.2.c.4.b.4.e.d.9.1.f.a.1.9.e.5.9.9.8.7.a.!.e.x.e.c.u.t.a.b.l.e...4.4.2.0...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5865.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Feb 23 16:33:05 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1085526
Entropy (8bit):	1.2210534980162013
Encrypted:	false
SSDEEP:	1536:VcpPfIY/EnrIqBkTiRcO3kkP3nFHBjf2rLk/p17:EgY/tEksVxMrLG7
MD5:	9EA8D8935DD62708B6F7A878CD221E88
SHA1:	999D1845B7B1D709ED65F7DE307E1D26D8168202
SHA-256:	6B3D0461EF3C94BE23362456530AF2703A71753E66390AA1D6B051C3A8308066
SHA-512:	CFD1974D3A8D4280AF8BCE8BA28A605488E27F819A086C535526AB1BD5A8F35E6D03137F9E2B0A2F88A66505C574FA4B2B326E386EEC7C9C83693606FB134BF7
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......A.5`...................U...........B..............GenuineIntelW...........T...........<.5`.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER62F5.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8316
Entropy (8bit):	3.6945173129731437
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNixWA6JB2T6YrpSUwW8/gmfXlZS/LM+pD089bKbKsfNkkjm:RrlsNin6v2T6YlSUwWUgmfLS/LZKbpfk
MD5:	1FCC27E2DD05A24687AC7AF559479613
SHA1:	161D62CBD1DA5B6AD0B8469B6CDFF5DE3FB6656D
SHA-256:	A3295E86AF60BE69C6DDFA7961E2EA4CA8153201008146D6A1AA5CFCE435D3BB
SHA-512:	D72CD49A3BED6214C6FB9E597C0375D3DF726A5094E826353E6F5C329C046AFB88D98357B18CC354EADC375189B134B5EE667B3A6DE6D80EA1A7938A39861BC3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER64BB.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4597
Entropy (8bit):	4.455068962408137
Encrypted:	false
SSDEEP:	48:cvIwSD8zsZJgtWI9JUkWSC8Bh8fm8M4JSHd8lFr+q8r3Y7wFUHjTd:uITfruU9SN4JS98Lq3+w+HjTd
MD5:	3C9F716FF3820EC27E2BF1DA7EA405D0
SHA1:	1F64446E6CB07224DDB7B6A3C9D6147816623211
SHA-256:	09570CC72E66EF66B1635A9BCC109BFF750049B603A673CCB74F7810B3F9C914
SHA-512:	0EF9AEEAE7120A5302C7493137F31F8E1EAAF7B9AB793A6098DB7EAC068192DA302A32A0BC39002CEF5C02F776E862D86C24D27448C429C6B176D2EC68CBADC0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="874183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.300468788976393
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	executable.4420.exe
File size:	438272
MD5:	6192cfbe8e44360f7c0b6f696206f41d
SHA1:	166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256:	8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
SHA512:	d492b9ea094bd6e695a562a855587feaf793be0cb35cf28df681a0022a8e0139a222a68bd578fb65b125fe9fea86f1f596bf337e65a445e8a5286d95ae037857
SSDEEP:	3072:U+NvJwwbI7mZgauugh+KsvkfGDLNj58E2wL6uEXKIwjwxhfgtRlh:9swbYmZgarrKsvVDR5POuE6Iwqf4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u....R...R...R.].R...R.c.R...R.]>R...R.\.R...R.`.R...R\c.R...R.`.R...R.`.R...R.Y.R...R...R.}.R%\.R...R...R...R.Y.R...R.y.R...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x43e7ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x47299316 [Thu Nov 1 08:49:26 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4dc9b0b4e019be52f23cc9a3c195910d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0044A588h
push 0043E91Eh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00444824h]
pop ecx
or dword ptr [00455C18h], FFFFFFFFh
or dword ptr [00455C1Ch], FFFFFFFFh
call dword ptr [004447B4h]
mov ecx, dword ptr [00455BF8h]
mov dword ptr [eax], ecx
call dword ptr [00444754h]
mov ecx, dword ptr [00455BF4h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00444758h]
mov eax, dword ptr [eax]
mov dword ptr [00455C14h], eax
call 00007F7478743040h
cmp dword ptr [004550A0h], ebx
jne 00007F747876CACEh
push 0043E948h
call dword ptr [0044475Ch]
pop ecx
call 00007F747876CBC5h
push 00453078h
push 00453074h
call 00007F747876CBB0h
mov eax, dword ptr [00455BF0h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00455BECh]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00444764h]
push 00453070h
push 00453000h
call 00007F747876CB7Dh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50b58	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x14cf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x44000	0xaa0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42469	0x43000	False	0.261452746035	COM executable for DOS	3.69971850757	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0xeb80	0xf000	False	0.221451822917	data	3.38138099515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x53000	0x2c20	0x3000	False	0.368815104167	data	4.63470137622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x14cf8	0x15000	False	0.0564778645833	data	0.900735057676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WININET.dll	FtpPutFileA, InternetConnectA, FtpSetCurrentDirectoryA, FtpCreateDirectoryA, InternetOpenA, InternetGetConnectedState, InternetCloseHandle
MFC42.DLL
MSVCRT.dll	__p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, _except_handler3, _onexit, __dllonexit, ??1type_info@@UAE@XZ, getenv, strrchr, atoi, _ftol, time, difftime, fabs, floor, strcat, srand, __p__fmode, _stricmp, fopen, fwrite, fclose, strchr, memmove, strncpy, setlocale, isspace, _splitpath, _makepath, strcpy, _strlwr, strstr, wcscmp, strcmp, strncmp, malloc, free, sscanf, strlen, sprintf, _purecall, _CxxThrowException, memcpy, memset, __CxxFrameHandler, __set_app_type, rand, _itoa, wcslen, _setmbcp, _controlfp
KERNEL32.dll	CloseHandle, FlushViewOfFile, ReleaseMutex, WaitForSingleObject, CreateFileMappingA, MapViewOfFile, CreateMutexA, CreateFileA, DeviceIoControl, GetFileSize, MulDiv, lstrlenA, lstrcmpA, lstrcpynA, GlobalReAlloc, GlobalHandle, UnmapViewOfFile, LoadResource, LockResource, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, FindFirstFileA, GetComputerNameA, GetDateFormatA, GetTimeFormatA, GetVersionExA, OpenProcess, GetCurrentThreadId, WideCharToMultiByte, lstrlenW, MultiByteToWideChar, SetCurrentDirectoryA, SetFileTime, GetSystemTime, GetStartupInfoA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeLibrary, lstrcpyA, ReadFile, WriteFile, lstrcmpiA, DeleteFileA, GetTimeZoneInformation, SetLastError, Sleep, GetTickCount, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, FileTimeToSystemTime, SetFilePointer, GetFileInformationByHandle, SystemTimeToFileTime, GetLocalTime, CreateProcessA, lstrcatA, EnumResourceNamesA, CopyFileA, GetTempFileNameA, GetTempPathA, LocalFree, FormatMessageA, GetLastError, SizeofResource, RemoveDirectoryA, MoveFileA, CreateDirectoryA, GetSystemDirectoryA, GetModuleFileNameA, GetModuleHandleA, ExpandEnvironmentStringsA, GetCurrentProcessId, FindClose, FindResourceA, FindNextFileA
USER32.dll	GetDlgItemInt, GetDlgItemTextA, MessageBoxA, SetForegroundWindow, FindWindowA, GetWindowTextA, SetClipboardViewer, PostQuitMessage, ChangeClipboardChain, SetMenuDefaultItem, EnableMenuItem, wsprintfA, RegisterHotKey, UnregisterHotKey, LoadImageA, FillRect, DrawTextA, PtInRect, CharLowerA, GetWindowThreadProcessId, AttachThreadInput, CloseClipboard, GetClipboardData, OpenClipboard, IsClipboardFormatAvailable, IsWindowUnicode, LoadStringA, CharUpperBuffA, RedrawWindow, SetWindowLongA, InvalidateRect, MessageBeep, GetDlgCtrlID, DdeFreeStringHandle, IsWindowVisible, GetClassNameA, SendMessageTimeoutA, IsWindow, RegisterWindowMessageA, FindWindowExA, DestroyIcon, AppendMenuA, GetMenuItemCount, GetMenuItemInfoA, GetSubMenu, DrawFrameControl, OffsetRect, DrawIconEx, DrawEdge, GetSystemMetrics, SystemParametersInfoA, GetKeyboardLayout, MapVirtualKeyExA, MapVirtualKeyA, GetKeyNameTextA, EnumChildWindows, GetWindowLongA, IsDlgButtonChecked, GetForegroundWindow, PostMessageA, DdeClientTransaction, DdeGetData, GetSysColor, GetCursorPos, WindowFromPoint, GetCapture, GetWindowRect, GetFocus, InflateRect, CopyRect, DrawFocusRect, SetTimer, GetParent, GetWindowTextLengthA, GetNextDlgTabItem, SetFocus, GetDlgItem, CreatePopupMenu, CheckMenuItem, DdeCreateStringHandleA, GetKeyboardLayoutList, DdeConnect, SendMessageA, EnableWindow, GetDesktopWindow, GetDC, ReleaseDC, DdeFreeDataHandle, DdeDisconnect, DdeInitializeA, DdeUninitialize, KillTimer, DefWindowProcA, IsChild, LoadIconA, SetCursor, LoadCursorA, GetKeyboardLayoutNameA, GetClientRect
GDI32.dll	BitBlt, SelectObject, CreateCompatibleDC, CreatePen, CreateFontIndirectA, Rectangle, GetTextColor, CreateFontA, GetDIBits, CreateCompatibleBitmap, GetTextExtentPoint32A, CreateSolidBrush, SetTextColor, SetBkMode, DeleteDC, CreateDCA, GetStockObject, GetPaletteEntries, GetObjectA, CreateDIBitmap, CreatePalette, RealizePalette, PatBlt, DeleteObject, CreateBitmap
comdlg32.dll	GetOpenFileNameA
ADVAPI32.dll	RegOpenKeyA, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegQueryValueA, RegDeleteValueA, RegCloseKey, RegDeleteKeyA, GetUserNameA, RegOpenKeyExA
SHELL32.dll	Shell_NotifyIconA, SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHFileOperationA, ShellExecuteA, ExtractIconExA
COMCTL32.dll	ImageList_Remove, ImageList_GetImageCount, ImageList_ReplaceIcon, InitCommonControlsEx
ole32.dll	CoUninitialize, CoInitialize, CoCreateInstance, CoFreeUnusedLibraries
OLEAUT32.dll	SysStringLen, VariantInit, VariantClear, SysAllocString, SysFreeString
urlmon.dll	URLDownloadToFileA
WSOCK32.dll	send, recv, closesocket, select, connect, WSACleanup, ntohl, WSAStartup, htons, ioctlsocket, gethostbyname, bind, WSASetLastError, socket, gethostname
MSVCP60.dll	??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ
RPCRT4.dll	UuidCreate, UuidToStringA, RpcStringFreeA

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:32:52.835212946 CET	65298	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:52.892349958 CET	53	65298	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:53.247808933 CET	59123	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:53.310240030 CET	53	59123	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:53.459800005 CET	54531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:53.501657009 CET	49714	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:53.511421919 CET	53	54531	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:53.550204992 CET	53	49714	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:53.868103981 CET	58028	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:53.931855917 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:54.423717022 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:54.475142956 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:56.360182047 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:56.408806086 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:57.325617075 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:57.378972054 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:58.483364105 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:58.540673971 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 17:32:59.432522058 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:32:59.494601011 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:00.290999889 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:00.342525005 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:01.303342104 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:01.352052927 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:02.506978035 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:02.557471037 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:03.713850975 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:03.775391102 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:04.744421959 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:04.797744036 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:05.863677979 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:05.912419081 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:06.794970989 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:06.843676090 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:10.461750031 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:10.513417959 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:16.179717064 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:16.230974913 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:17.899775982 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:17.948786020 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:19.083235025 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:19.136178017 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:20.078944921 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:20.127528906 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:20.877273083 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:20.926132917 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:23.138626099 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:23.190361977 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:41.258702993 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:41.352114916 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:42.016740084 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:42.092366934 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:42.684490919 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:42.741871119 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:43.155957937 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:43.216820955 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:43.228245020 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:43.279541016 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:43.878380060 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:43.935725927 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:44.499895096 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:44.557358980 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:45.146218061 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:45.236953974 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:46.009835958 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:46.068258047 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:47.718394041 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:47.776036024 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:48.074347019 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:48.138317108 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:48.232470036 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:48.281176090 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:48.281677008 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:48.330260992 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:58.637748957 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:58.700093985 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 17:33:58.980968952 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:33:59.045989037 CET	53	59794	8.8.8.8	192.168.2.4
Feb 23, 2021 17:34:03.480015993 CET	55916	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:34:03.543883085 CET	53	55916	8.8.8.8	192.168.2.4
Feb 23, 2021 17:34:32.999061108 CET	52752	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:34:33.050477982 CET	53	52752	8.8.8.8	192.168.2.4
Feb 23, 2021 17:34:34.592492104 CET	60542	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:34:34.650958061 CET	53	60542	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: executable.4420.exe PID: 7112 Parent PID: 5900

General

Start time:	17:33:00
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\executable.4420.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\executable.4420.exe'
Imagebase:	0x400000
File size:	438272 bytes
MD5 hash:	6192CFBE8E44360F7C0B6F696206F41D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exe PID: 5856 Parent PID: 7112

General

Start time:	17:33:02
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 664
Imagebase:	0x3c0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report executable.4420.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: executable.4420.exe PID: 7112 Parent PID: 5900

General

Analysis Process: WerFault.exe PID: 5856 Parent PID: 7112

General

Disassembly

Code Analysis