Edit tour

Windows Analysis Report
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip

Overview

General Information

Sample URL:	https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip
Analysis ID:	597349
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

DLL side loading technique detected

Sigma detected: Suspicious Call by Ordinal

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

AV process strings found (often used to terminate AV products)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Found large amount of non-executed APIs

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64native

cmd.exe (PID: 4880 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wget.exe (PID: 3076 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

7za.exe (PID: 2648 cmdline: 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\ComparePlugin_v2.0.2_X64.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

loaddll64.exe (PID: 7556 cmdline: loaddll64.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 1604 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 1224 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 3148 cmdline: C:\Windows\system32\WerFault.exe -u -p 1224 -s 432 MD5: 5C06542FED8EE68994D43938E7326D75)

rundll32.exe (PID: 3196 cmdline: rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 4104 cmdline: C:\Windows\system32\WerFault.exe -u -p 3196 -s 436 MD5: 5C06542FED8EE68994D43938E7326D75)

rundll32.exe (PID: 3404 cmdline: rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getFuncsArray MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7720 cmdline: C:\Windows\system32\WerFault.exe -u -p 3404 -s 432 MD5: 5C06542FED8EE68994D43938E7326D75)

rundll32.exe (PID: 4776 cmdline: rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getName MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 372 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",beNotified MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 3148 cmdline: C:\Windows\system32\WerFault.exe -u -p 372 -s 428 MD5: 5C06542FED8EE68994D43938E7326D75)

rundll32.exe (PID: 428 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getFuncsArray MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 3344 cmdline: C:\Windows\system32\WerFault.exe -u -p 428 -s 424 MD5: 5C06542FED8EE68994D43938E7326D75)

rundll32.exe (PID: 6664 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getName MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3644 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",isUnicode MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6640 cmdline: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",messageProc MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1604, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1, ProcessId: 1224, ProcessName: rundll32.exe

Source: Process started

Author: James Pemberton / @4A616D6573: Data: Command: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" , CommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wget.exe, NewProcessName: C:\Windows\SysWOW64\wget.exe, OriginalFileName: C:\Windows\SysWOW64\wget.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4880, ParentProcessName: cmd.exe, ProcessCommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" , ProcessId: 3076, ProcessName: wget.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.11.20:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.11.20:49751 version: TLS 1.2

Source:	Binary string: C:\projects\compare-plugin\Notepad++\plugins\ComparePlugin.pdb source: rundll32.exe, 00000008.00000002.53133614574.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000000.53107375345.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.53160095731.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000000.53198315997.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197555059.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr
Source:	Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll.4.dr

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDCA3784 FindFirstFileExA,

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wget.exe, wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000002.53072409006.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.53070031005.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crlJ
Source: git2.dll.4.dr	String found in binary or memory: http://libgit2.github.com/D
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: 7za.exe, 00000004.00000003.53082213532.0000000003240000.00000004.00000800.00020000.00000000.sdmp, sqlite3.dll.4.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: rundll32.exe, 00000008.00000002.53133927537.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.53134812123.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000000.53134991199.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.53225101572.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197852442.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr	String found in binary or memory: https://github.com/jsleroy/compare-plugin
Source: rundll32.exe, 00000008.00000002.53133927537.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.53134812123.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000000.53134991199.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.53225101572.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197852442.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr	String found in binary or memory: https://github.com/pnedev/compare-plugin
Source: wget.exe, wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugi
Source: wget.exe, 00000002.00000002.53071396618.0000000000190000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip
Source: wget.exe, 00000002.00000002.53072228538.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip_5
Source: wget.exe, 00000002.00000002.53072228538.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zipneDriv
Source: cmdline.out.0.dr	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-

Source: unknown

DNS traffic detected: queries for: github.com

Source: global traffic	HTTP traffic detected: GET /pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-49d7-8eb8-da1dde346952?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220325%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220325T191320Z&X-Amz-Expires=300&X-Amz-Signature=5053414ddd70e50734eacb002da0a5ed0adb35bb4bd3c967d01196cf1c48f106&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50095301&response-content-disposition=attachment%3B%20filename%3DComparePlugin_v2.0.2_X64.zip&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: objects.githubusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.11.20:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.11.20:49751 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3196 -s 436

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC94E30
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC825E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC8FE10
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC945B0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC9FDA4
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC905A0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCA3578
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC91580
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCAB4D3
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC83CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC894C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC82890
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCAA098
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCAA890
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC90880
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC88800
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC81FA0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCA5760
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC8DF80
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC89720
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCAAEFC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC94280
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC861F0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC8A9D0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCAB170
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC9D910
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC860C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC920C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDCA5C30
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC89C30
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC823D0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC87B90
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC9DB8C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC88330
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC8F350
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC8AB00
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC8FAA0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC90AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC8E2D0

Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ComparePlugin.dll.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\wget.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\loaddll64.exe	Section loaded: edgegdi.dll

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip"
Source: unknown	Process created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\ComparePlugin_v2.0.2_X64.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3196 -s 436
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1224 -s 432
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getFuncsArray
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3404 -s 432
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",beNotified
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getFuncsArray
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",isUnicode
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",messageProc
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 428 -s 424
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getFuncsArray
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",beNotified
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getFuncsArray
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",getName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",isUnicode
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",messageProc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8cc57867-0d7d-43e4-a6c6-6997b62c56f9

Jump to behavior

Source: classification engine

Classification label: mal48.evad.win@31/28@2/2

Source: sqlite3.dll.4.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: rundll32.exe	Binary or memory string: SELECT checksum FROM nodes_current WHERE local_relpath='%s';
Source: sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.4.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3.dll.4.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: sqlite3.dll.4.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3196
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess372
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3404
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess428
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:304:WilStaging_02
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1224

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDC961D0 FindResourceW,LoadResource,LockResource,SizeofResource,GlobalAlloc,GlobalLock,

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: C:\projects\compare-plugin\Notepad++\plugins\ComparePlugin.pdb source: rundll32.exe, 00000008.00000002.53133614574.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000000.53107375345.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000002.53160095731.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000000.53198315997.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197555059.00007FFBBDCAC000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr
Source:	Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll.4.dr

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02DF38E0 pushad ; ret
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02DECA48 pushad ; retn 0078h
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02DECE00 pushfd ; retn 0000h
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_02DECC31 pushad ; retn 0078h
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00A68000 push ebx; retf
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00A68E4A push eax; retf
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_02DF38E0 pushad ; ret

Source: sqlite3.dll.4.dr

Static PE information: section name: text

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDC91870 GetModuleHandleW,GetModuleFileNameW,PathRemoveExtensionW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\Desktop\extract\ComparePlugin\git2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\Desktop\extract\ComparePlugin.dll	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll64.exe TID: 6528

Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\extract\ComparePlugin\git2.dll			Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

API coverage: 0.5 %

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDCA3784 FindFirstFileExA,

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Source: wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: wget.exe	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDC98F40 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDCA47F4 GetProcessHeap,

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC98F40 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC98270 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00007FFBBDC9C2DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

DLL side loading technique detected

Source: C:\Windows\System32\loaddll64.exe	Section loaded: C:\Users\user\Desktop\extract\ComparePlugin.dll
Source: C:\Windows\System32\loaddll64.exe	Section loaded: C:\Users\user\Desktop\extract\ComparePlugin.dll

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll",#1

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDCA9C70 cpuid

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00007FFBBDC99090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	11 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip	0%	Virustotal		Browse
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\Desktop\extract\ComparePlugin.dll	0%	Metadefender	Browse
C:\Users\user\Desktop\extract\ComparePlugin.dll	0%	ReversingLabs
C:\Users\user\Desktop\extract\ComparePlugin\git2.dll	0%	Metadefender	Browse
C:\Users\user\Desktop\extract\ComparePlugin\git2.dll	0%	ReversingLabs
C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll	0%	Metadefender	Browse
C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	140.82.121.4	true	false		high
objects.githubusercontent.com	185.199.110.133	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip_5	wget.exe, 00000002.00000002.53072228538.0000000001410000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pnedev/compare-plugin	rundll32.exe, 00000008.00000002.53133927537.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.53134812123.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000000.53134991199.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.53225101572.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197852442.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr	false		high
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugi	wget.exe, wget.exe, 00000002.00000002.53071734243.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zipneDriv	wget.exe, 00000002.00000002.53072228538.0000000001410000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	false		high
https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-	cmdline.out.0.dr	false	Avira URL Cloud: safe	unknown
http://libgit2.github.com/D	git2.dll.4.dr	false		high
http://www.sqlite.org/copyright.html.	7za.exe, 00000004.00000003.53082213532.0000000003240000.00000004.00000800.00020000.00000000.sdmp, sqlite3.dll.4.dr	false		high
https://github.com/jsleroy/compare-plugin	rundll32.exe, 00000008.00000002.53133927537.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000009.00000002.53134812123.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000010.00000000.53134991199.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000015.00000002.53225101572.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, rundll32.exe, 00000016.00000000.53197852442.00007FFBBDCC8000.00000002.00000001.01000000.00000004.sdmp, ComparePlugin.dll.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
140.82.121.4	github.com	United States		36459	GITHUBUS	false
185.199.110.133	objects.githubusercontent.com	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	597349
Start date and time:	2022-03-25 19:13:21 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	urldownload.jbs
Sample URL:	https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.evad.win@31/28@2/2
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 20.93.58.141, 20.42.65.92, 20.189.173.21, 20.82.209.183, 20.40.129.122
Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, arc.msn.com, wdcpalt.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, umwatson.events.data.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com
Execution Graph export aborted for target wget.exe, PID 3076 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
20:15:20	API Interceptor	5x Sleep call for process: WerFault.exe modified
20:15:26	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8276584589052882
Encrypted:	false
SSDEEP:	192:IDDoiSyIV8xmjiqFj0AfuDu76+fAlx8ii:+DoiPIV8gjiqFj0xDu76+fAlx8P
MD5:	FE4DDCAE09649257CF9B34AE2582F0B4
SHA1:	7436C928550783032D4384CA9DCC49B3F668CC94
SHA-256:	FC4DD2EA5DAF30AA344D508367B42D7E13F1D2CDB972A45418D329A0D4A9C288
SHA-512:	D70EA830DCD2AA1960124EFD5D52D6512FDAE3E2860734BEDFAE92072B248FFBABDD84C4000768E7E622CAFD9E4340F301DD5F6E45987A7E9F89DC86850A3B3D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.2.7.1.2.9.2.1.0.6.0.7.5.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.2.7.1.2.9.2.1.9.0.4.3.1.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.9.2.5.6.d.0.-.1.9.3.0.-.4.5.f.7.-.b.8.f.8.-.e.5.d.b.7.1.2.5.3.1.d.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.0.c.a.3.6.6.-.b.c.4.0.-.4.b.2.7.-.a.1.f.1.-.8.7.e.1.b.7.3.1.2.d.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.C.o.m.p.a.r.e.P.l.u.g.i.n...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.4.c.-.0.0.0.1.-.0.0.1.5.-.8.2.7.2.-.0.d.0.d.8.5.4.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	4168
Entropy (8bit):	4.373738299569115
Encrypted:	false
SSDEEP:	48:RmXf4rou93Prou93vD0D56+0QlcAkdTyapS2APBQ0yNr:RwEhyapPR
MD5:	8ED3CC43EAA9DEA8835351A33940FC98
SHA1:	0A0FBF7FBC3FA92A42B27F54AD7010012D383573
SHA-256:	4148A083CCFE9BA5D9E2348B4D2BCBDF77453F2C36134C9A25471EB74D520E1D
SHA-512:	30B53EAFE3F0B2B435CA2B3107A3CA1BBBF4AB22ED4EB58C05EF3F05087ADD24F3C3F38580FF5679F59E110BD1A936BC1A9D07C1180F8C6B92F904300CCA5207
Malicious:	false
Reputation:	low
Preview:	--2022-03-25 20:15:12-- https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip..Resolving github.com (github.com)... 140.82.121.4..Connecting to github.com (github.com)\|140.82.121.4\|:443... connected...HTTP request sent, awaiting response... 302 Found..Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-49d7-8eb8-da1dde346952?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220325%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220325T191320Z&X-Amz-Expires=300&X-Amz-Signature=5053414ddd70e50734eacb002da0a5ed0adb35bb4bd3c967d01196cf1c48f106&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50095301&response-content-disposition=attachment%3B%20filename%3DComparePlugin_v2.0.2_X64.zip&response-content-type=application%2Foctet-stream [following]..--2022-03-25 20:15:12-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1388181
Entropy (8bit):	7.997956887940178
Encrypted:	true
SSDEEP:	24576:6fxvnjZQ0clHZk5XyurCaIGi2r97lgEFl963UD9TXKlApp5IZm5:Wxvq0clHZwiurC9Y7lgW96K9TXKl4
MD5:	DA0CC28CDEC8749872F8C51E79CB68B2
SHA1:	A9D5A3930538642E171622ACB62291F011FAB003
SHA-256:	4151FBC9778047991CF4B900363D846BDA5B0D1783E5FED9EB77E4C8253BA315
SHA-512:	3B01251BDBC2ED627D71C155067EB2D48155A9638CB0B96FD925221625A6029CEB08A633D5A24C1AD332B2AD517AAFC85AFADB964822B483461F3312A01B50F3
Malicious:	false
Reputation:	low
Preview:	PK........p~BT................ComparePlugin/PK........p~BT...xe....b......ComparePlugin.dll.]{@TU......T.3sJ.si......;:.f...i.Y...)4.Lwg....Y.n.Y..z...V....n.."..C.....;...k.c.X.........s...s..w..I.$3.PH.6K..)... I.G6...Ky.....'\.`..G..k.X\|.U...^}.5^.e...}W;.^.(=o..k..76==5[+.`....~.?I.=.M.N...{......^Nibws...nIy..5._g}..h].....})..p.7L....G..W8...s..>...2I....t..#..q........(I..8._.\;{k..~$'qT.:...\.g.;..q...@.n..c,f)...yf....l..HR...tA?m..k.r..H_...l.....c..y....$h7..8$.j.../..SO.4P......?'...`..x.AO....S<\..j..4...X..)..+./.\|........D8.%.O.W...eN.x.....ki<.c.)o.E..pL....2.n....'....7...o>1Ir..O8_.Q7.%I.......[.f>I.....F..H).Ws.......\..@.~g.\..S.}~..}.1...\.e.Q..&.H..R/..0 .f.?.1...............4!.2...1.g<....-.......-...p>...p....d..,.[.F............g.E.H...l...?...8D8...*.C.p.........C.H...#}ZC..WC...%...E.V9....j.+C8.yh.....R....%5rp....+...@..Xbu6,I..K.r....7.v..E.y.....:.V.o..W.9\|..."...H.....p.~...T.,.d..[.......J..t.2.

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	6.183705147240815
Encrypted:	false
SSDEEP:	6144:0IfvPfxEsrL2fN7pYUMv3T0j22qZR/kUV8vFiFebnCBiloC1Os31+:bhZL0NdYUMv3p2qZR/kUqvFF2B4oIOX
MD5:	913E79C2C839355E296425CDB6DBF920
SHA1:	960566EAAA109C21A93FBD44A594FE20549F2B69
SHA-256:	D7F501E35C8B92CCE2D9B8FC18CFB8770426FBE362406F2EE73DB2C8F7D6ADF3
SHA-512:	3548B3C2C9F7DE8BB3A4F36884A7FCC73A78169FD0EDF989CBAA68359923387D85F010607F1C1FAB4E4494861A86E62CFC34374A03FAA5183DF129AB30D581EA
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E.[.$...$...$....L..$....N..$....O..$...z...$...z...$...z...$..o.v..$...$..i$...z...$...z...$.. zB..$...$*..$...z...$..Rich.$..........PE..d......a.........." .....................................................................`.................................................H...........0<...0...-..............,...ps..T...................ht..(....s...............................................text...R........................... ..`.rdata........... ..................@..@.data...,B..........................@....pdata...-...0......................@..@.gfids.......`......................@..@.tls.........p......................@....rsrc...0<.......>..................@..@.reloc..,............X..............@..B........................................................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2022 20:15:13.316870928 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.316950083 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.317168951 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.318430901 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.318487883 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.363451958 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.363778114 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.365273952 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.365304947 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.365747929 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.367796898 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.381901026 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.381998062 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.382117987 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.382226944 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.382392883 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.388314009 CET	49750	443	192.168.11.20	140.82.121.4
Mar 25, 2022 20:15:13.388336897 CET	443	49750	140.82.121.4	192.168.11.20
Mar 25, 2022 20:15:13.420128107 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:13.420211077 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:13.420381069 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:13.421432972 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:13.421483994 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:13.464063883 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:13.464518070 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:13.465609074 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:13.465645075 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:13.466335058 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:13.467444897 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:13.507993937 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.024856091 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.025118113 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.025247097 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.025374889 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.025518894 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.025602102 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.025650978 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.025831938 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.025866985 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.026084900 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.026316881 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.026333094 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.026372910 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.026571035 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.026614904 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.026793003 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.026971102 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027038097 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.027069092 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027162075 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.027276993 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027410984 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027486086 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.027513981 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027623892 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027692080 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.027719975 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027882099 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.027911901 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.027945995 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.028070927 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.028103113 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.028275013 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.028470993 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.028497934 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.028562069 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.028775930 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.032788992 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.033109903 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.033227921 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.033325911 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.033339977 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.033370972 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.033552885 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.033595085 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.033631086 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.033823013 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.033857107 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.034065008 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.034096003 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.034276009 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.034492970 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.034523010 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.034573078 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.034687042 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.034713984 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.034780025 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.035343885 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.035402060 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.035504103 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.035537004 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.035547972 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.035574913 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.035598040 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.035628080 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.035643101 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.040728092 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.040770054 CET	443	49751	185.199.110.133	192.168.11.20
Mar 25, 2022 20:15:14.040910959 CET	49751	443	192.168.11.20	185.199.110.133
Mar 25, 2022 20:15:14.040941000 CET	443	49751	185.199.110.133	192.168.11.20

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2022 20:15:13.301995039 CET	62930	53	192.168.11.20	1.1.1.1
Mar 25, 2022 20:15:13.311404943 CET	53	62930	1.1.1.1	192.168.11.20
Mar 25, 2022 20:15:13.409169912 CET	58485	53	192.168.11.20	1.1.1.1
Mar 25, 2022 20:15:13.417960882 CET	53	58485	1.1.1.1	192.168.11.20

Timestamp	kBytes transferred	Direction	Data
2022-03-25 19:15:13 UTC	0	OUT	GET /pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: github.com Connection: Keep-Alive
2022-03-25 19:15:13 UTC	0	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Fri, 25 Mar 2022 19:13:20 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Accept-Encoding, Accept, X-Requested-With permissions-policy: interest-cohort=() Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-49d7-8eb8-da1dde346952?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220325%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220325T191320Z&X-Amz-Expires=300&X-Amz-Signature=5053414ddd70e50734eacb002da0a5ed0adb35bb4bd3c967d01196cf1c48f106&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50095301&response-content-disposition=attachment%3B%20filename%3DComparePlugin_v2.0.2_X64.zip&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-03-25 19:15:13 UTC	1	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.
2022-03-25 19:15:13 UTC	2	IN	Data Raw: 58 2d 47 69 74 48 75 62 2d 52 65 71 75 65 73 74 2d 49 64 3a 20 43 46 44 45 3a 45 34 39 41 3a 31 46 36 33 36 41 45 3a 32 30 45 36 41 33 42 3a 36 32 33 45 31 34 43 31 0d 0a 63 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: X-GitHub-Request-Id: CFDE:E49A:1F636AE:20E6A3B:623E14C1connection: close
2022-03-25 19:15:13 UTC	2	IN	Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6f 62 6a 65 63 74 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 67 69 74 68 75 62 2d 70 72 6f 64 75 63 74 69 6f 6e 2d 72 65 6c 65 61 73 65 2d 61 73 73 65 74 2d 32 65 36 35 62 65 2f 35 30 30 39 35 33 30 31 2f 66 30 61 61 64 39 32 62 2d 65 62 66 39 2d 34 39 64 37 2d 38 65 62 38 2d 64 61 31 64 64 65 33 34 36 39 35 32 3f 58 2d 41 6d 7a 2d 41 6c 67 6f 72 69 74 68 6d 3d 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 26 61 6d 70 3b 58 2d 41 6d 7a 2d 43 72 65 64 65 6e 74 69 61 6c 3d 41 4b 49 41 49 57 4e 4a 59 41 58 34 43 53 56 45 48 35 33 41 25 32 46 32 30 32 32 30 33 32 35 25 32 46 75 73 2d 65 61 73 74 2d 31 Data Ascii: <html><body>You are being <a href="https://objects.githubusercontent.com/github-production-release-asset-2e65be/50095301/f0aad92b-ebf9-49d7-8eb8-da1dde346952?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220325%2Fus-east-1

Target ID:	0
Start time:	20:15:12
Start date:	25/03/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip" > cmdline.out 2>&1
Imagebase:	0xf0000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	4
Start time:	20:15:14
Start date:	25/03/2022
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\ComparePlugin_v2.0.2_X64.zip"
Imagebase:	0x770000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	6
Start time:	20:15:16
Start date:	25/03/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\extract\ComparePlugin.dll"
Imagebase:	0x7ff727a30000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	8
Start time:	20:15:17
Start date:	25/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,beNotified
Imagebase:	0x7ff61ea80000
File size:	71680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	14
Start time:	20:15:18
Start date:	25/03/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3196 -s 436
Imagebase:	0x7ff7694f0000
File size:	568632 bytes
MD5 hash:	5C06542FED8EE68994D43938E7326D75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	20
Start time:	20:15:23
Start date:	25/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\extract\ComparePlugin.dll,getName
Imagebase:	0x7ff711ce0000
File size:	71680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	28
Start time:	20:15:27
Start date:	25/03/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 372 -s 428
Imagebase:	0x7ff7694f0000
File size:	568632 bytes
MD5 hash:	5C06542FED8EE68994D43938E7326D75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Com_a390959f1f8b5ca1582bdff61f9451e7944f2ec_71036408_399256d0-1930-45f7-b8f8-e5db712531dc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Com_a390959f1f8b5ca1582bdff61f9451e7944f2ec_71036408_7b33abf3-139a-4117-9db1-e0552caf4048\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Com_cf6dae3a8bcb14daf052b4753019709517e7_71036408_8d113b16-a122-48e1-973a-0e9340f5e74b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Com_cf6dae3a8bcb14daf052b4753019709517e7_71036408_9c2fb87e-0516-41f9-ad98-9e013c83d1cb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Com_cf6dae3a8bcb14daf052b4753019709517e7_71036408_bc772a15-5856-4b2d-aa65-5a0d4f57349d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER399E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39AD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B06.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B45.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B94.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BD2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER445C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4586.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER45B5.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C97.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CE5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DF0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E3E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E8D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EAC.tmp.xml

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\ComparePlugin_v2.0.2_X64.zip

Windows Analysis Report
https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre