Edit tour

Windows Analysis Report
7Y18r(212).exe

Overview

General Information

Sample name:	7Y18r(212).exe
Analysis ID:	1482712
MD5:	694c32cb655bcdc5ee56749cb64124e8
SHA1:	d9ca3ffeeb391cbdd034861f119f221daa817e31
SHA256:	347b1528f270d85186eca01132cb9b6fdbb818d317d5a17ac4772f2381473095
Tags:	exe
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to read the PEB

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

7Y18r(212).exe (PID: 6276 cmdline: "C:\Users\user\Desktop\7Y18r(212).exe" MD5: 694C32CB655BCDC5EE56749CB64124E8)

nuwcjd.exe (PID: 2244 cmdline: C:\Users\user\AppData\Local\Temp\nuwcjd.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 5024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1568 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 244 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: nuwcjd.exe PID: 2244	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T02:37:57.191863+0200
SID:	2022930
Source Port:	443
Destination Port:	55977
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-26T02:37:40.206459+0200
SID:	2838522
Source Port:	51208
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T02:38:15.891536+0200
SID:	2022930
Source Port:	443
Destination Port:	58025
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-26T02:37:41.199113+0200
SID:	2838522
Source Port:	51208
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.6

Timestamp:	2024-07-26T02:38:16.990641+0200
SID:	2022930
Source Port:	443
Destination Port:	58026
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7Y18r(212).exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarI	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarH	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarE	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar$	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/q	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarI	Virustotal: Detection: 9%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarH	Virustotal: Detection: 10%	Perma Link
Source: http://ddos.dnsnb8.net/q	Virustotal: Detection: 14%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rar$	Virustotal: Detection: 15%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarE	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Virustotal: Detection: 93%			Perma Link

Multi AV Scanner detection for submitted file

Source: 7Y18r(212).exe	ReversingLabs: Detection: 95%
Source: 7Y18r(212).exe	Virustotal: Detection: 87%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 7Y18r(212).exe

Joe Sandbox ML: detected

Source: 7Y18r(212).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00B129E2

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B12B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00B12B8C

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B11099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00B11099

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: nuwcjd.exe, 00000001.00000003.2133066360.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, nuwcjd.exe, 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/q
Source: nuwcjd.exe, 00000001.00000002.2203564540.000000000289A000.00000004.00000010.00020000.00000000.sdmp, nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar$
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarE
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarH
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarI
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_13bd8487-a

System Summary

PE file contains section with special chars

Source: 7Y18r(212).exe	Static PE information: section name: i]\|u
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: nuwcjd.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Code function: 1_2_00B16076		1_2_00B16076
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Code function: 1_2_00B16D00		1_2_00B16D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nuwcjd.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Users\user\Desktop\7Y18r(212).exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 244

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: 7Y18r(212).exe

Static PE information: Number of sections : 14 > 10

Source: 7Y18r(212).exe

Static PE information: No import functions for PE file found

Source: 7Y18r(212).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: nuwcjd.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: nuwcjd.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: nuwcjd.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/13@3/0

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B1119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00B1119F

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6276
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2244

Source: C:\Users\user\Desktop\7Y18r(212).exe

File created: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Jump to behavior

Source: C:\Users\user\Desktop\7Y18r(212).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7Y18r(212).exe	ReversingLabs: Detection: 95%
Source: 7Y18r(212).exe	Virustotal: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\7Y18r(212).exe "C:\Users\user\Desktop\7Y18r(212).exe"
Source: C:\Users\user\Desktop\7Y18r(212).exe	Process created: C:\Users\user\AppData\Local\Temp\nuwcjd.exe C:\Users\user\AppData\Local\Temp\nuwcjd.exe
Source: C:\Users\user\Desktop\7Y18r(212).exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 244
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1568
Source: C:\Users\user\Desktop\7Y18r(212).exe	Process created: C:\Users\user\AppData\Local\Temp\nuwcjd.exe C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Jump to behavior

Source: C:\Users\user\Desktop\7Y18r(212).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 7Y18r(212).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 7Y18r(212).exe

Static file information: File size 4981248 > 1048576

Source: 7Y18r(212).exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2e3e00

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Unpacked PE file: 1.2.nuwcjd.exe.b10000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: i]|u

Source: 7Y18r(212).exe	Static PE information: section name: /4
Source: 7Y18r(212).exe	Static PE information: section name: /18
Source: 7Y18r(212).exe	Static PE information: section name: /30
Source: 7Y18r(212).exe	Static PE information: section name: /43
Source: 7Y18r(212).exe	Static PE information: section name: /59
Source: 7Y18r(212).exe	Static PE information: section name: /75
Source: 7Y18r(212).exe	Static PE information: section name: /90
Source: 7Y18r(212).exe	Static PE information: section name: /109
Source: 7Y18r(212).exe	Static PE information: section name: .symtab
Source: 7Y18r(212).exe	Static PE information: section name: i]\|u
Source: nuwcjd.exe.0.dr	Static PE information: section name: .aspack
Source: nuwcjd.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Code function: 1_2_00B11638 push dword ptr [00B13084h]; ret	1_2_00B1170E
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Code function: 1_2_00B16014 push 00B114E1h; ret	1_2_00B16425
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Code function: 1_2_00B12D9B push ecx; ret	1_2_00B12DAB
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Code function: 1_2_00B1600A push ebp; ret	1_2_00B1600D

Source: 7Y18r(212).exe	Static PE information: section name: i]\|u entropy: 6.93440401754385
Source: nuwcjd.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934500310551252
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934760778895195
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934530411452574

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\7Y18r(212).exe	File created: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_1-1305

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1046

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B11718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00B11754h

1_2_00B11718

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00B129E2

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B12B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00B12B8C

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: nuwcjd.exe, 00000001.00000002.2203244758.0000000000C92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

API call chain: ExitProcess graph end node

graph_1-1021

Source: C:\Users\user\Desktop\7Y18r(212).exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\7Y18r(212).exe

Code function: 0_2_008DA044 mov eax, dword ptr fs:[00000030h]

0_2_008DA044

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B11718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

1_2_00B11718

Source: C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Code function: 1_2_00B1139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00B1139F

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: nuwcjd.exe PID: 2244, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: nuwcjd.exe PID: 2244, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7Y18r(212).exe	96%	ReversingLabs	Win32.Virus.Jadtre
7Y18r(212).exe	88%	Virustotal		Browse
7Y18r(212).exe	100%	Avira	W32/Jadtre.B
7Y18r(212).exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nuwcjd.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\nuwcjd.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nuwcjd.exe	92%	ReversingLabs	Win32.Trojan.Madeba
C:\Users\user\AppData\Local\Temp\nuwcjd.exe	93%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ddos.dnsnb8.net	13%	Virustotal		Browse
198.187.3.20.in-addr.arpa	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://www.activestate.comHolger	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarI	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarH	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarE	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar$	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net/q	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarI	9%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarH	11%	Virustotal		Browse
http://ddos.dnsnb8.net/q	14%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rar$	16%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarE	13%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false	13%, Virustotal, Browse	unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.develop.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ddos.dnsnb8.net/	nuwcjd.exe, 00000001.00000002.2203244758.0000000000C69000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	nuwcjd.exe, 00000001.00000002.2203564540.000000000289A000.00000004.00000010.00020000.00000000.sdmp, nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	nuwcjd.exe, 00000001.00000003.2133066360.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, nuwcjd.exe, 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarI	nuwcjd.exe, 00000001.00000002.2203244758.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarH	nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarE	nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar$	nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/q	nuwcjd.exe, 00000001.00000002.2203244758.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482712
Start date and time:	2024-07-26 02:36:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7Y18r(212).exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@5/13@3/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:37:42	API Interceptor	2x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	BOTBINARY.EXE.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	BkPack.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	bss.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nuwcjd.exe	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse
	7Y18r(223).exe	Get hash	malicious	Bdaejec	Browse
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse
	A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	BOTBINARY.EXE.exe	Get hash	malicious	Bdaejec	Browse
	BkPack.exe	Get hash	malicious	Bdaejec	Browse
	bss.exe	Get hash	malicious	Bdaejec	Browse
	C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exe	Get hash	malicious	Bdaejec, BitCoin Miner, Xmrig	Browse
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse
	E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exe	Get hash	malicious	Babuk, Bdaejec, Djvu, Zorab	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nuwcjd.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.5909097396259275
Encrypted:	false
SSDEEP:	384:1F8ScXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:d8QGPL4vzZq2o9W7GsxBbPr
MD5:	48FBE9E26974D06FA6C4110023BC1FA1
SHA1:	18D3138357C6FD92FA9385A4B584AF2E568D6991
SHA-256:	4FEFA03BAE494C5C971D3C23A27C6FE57C5F49DC57D535BA5623171DAB1CA97C
SHA-512:	A394E027919A6AE6AA9CA398B4EC7DF5AA088877EAA0058D962476CF3D33E4D834EB08FF86E4F4F36AA6D7FE44BB792E179B8508C07EEBAB5B16A031739BB552
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nuwcjd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731347769927002
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	7FA9ECDF8F97F36D3BEE9C6122EAC302
SHA1:	7D045DA42D8B2DBDD855571F0A6470B16A0E310D
SHA-256:	CBA1FA8E29DAB2E4ED1AE78A198530E1E08669B5951DB6755CF69438E56AFD32
SHA-512:	58F19B15DD505CF8DB87E91A35A311A0D0F382A2C9DBC7916DBF1184349DEC9BB716C34D8235755B9E3CD339ECB800172FF1B35B3DA35E2F3BEC01C69E1ED20A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nuwcjd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366563506928589
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdSvQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdSoGCq2iW7z
MD5:	ADA5C0BB1A89541501AFDD3DCB280914
SHA1:	55950B2F027F7DBF66F43E9E6099430A7150CADF
SHA-256:	83305511F0997E0D8D42FC9E4CAA68568C1C15304CD7A5CE34365535CCF7366F
SHA-512:	AE1C55BA2096E8D2BF2027F8ADB6D18D0A3AAF44B33F4090EE32F3F3C394362E0F791ADF2AED0375AB60D70B239F63430945D37F6F5FB05407384285CD46ADD9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7Y18r(212).exe_4e85da955ca18bb64608bd36b4037462285ed_8ee35320_9fce3981-bf1c-4f7c-b9a5-47751f43c810\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6480796788025764
Encrypted:	false
SSDEEP:	96:TiwF8OIpowDTswhMa7J9bQXIDcQvc6QcEVcw3cE/X+HbHg/5hZAX/d5FMT2SlPkJ:TmOIpfDTg0BU/wjhzuiF8Z24IO87
MD5:	1A4EF18E353EA15B9FF0CE0AF7B57BB6
SHA1:	BD5B6342F997D7A6055C2D93D1CF8B84492D0351
SHA-256:	3D788C856590BFF2BCED30369403EB8AAEC4F91AFD2C275530C762B9E0824F3B
SHA-512:	43A6F704F90795558F0D0FA4552C335A0198E12A7DA6C322845BE603DAD861AD5996173E444C6D2CD78FC329FCC51029F332122262D6F3C1DEF858B56EDEB37D
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.2.7.8.5.9.2.6.3.1.8.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.2.7.8.5.9.7.6.3.1.8.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.c.e.3.9.8.1.-.b.f.1.c.-.4.f.7.c.-.b.9.a.5.-.4.7.7.5.1.f.4.3.c.8.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.2.b.4.1.6.2.-.8.2.d.d.-.4.8.e.7.-.a.1.7.0.-.b.d.0.9.f.9.7.4.1.2.e.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.Y.1.8.r.(.2.1.2.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.8.4.-.0.0.0.1.-.0.0.1.5.-.3.1.7.b.-.3.2.0.4.f.4.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.f.e.c.a.d.6.a.b.c.6.c.5.6.5.5.9.d.f.1.3.1.d.c.e.c.3.4.5.9.d.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.9.c.a.3.f.f.e.e.b.3.9.1.c.b.d.d.0.3.4.8.6.1.f.1.1.9.f.2.2.1.d.a.a.8.1.7.e.3.1.!.7.Y.1.8.r.(.2.1.2.)...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nuwcjd.exe_7689929733b9f7a719f893b7fd9ced26bf8ebf_59aa2b61_74bca566-19f6-4a96-8151-58df96c852f8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9104642016551889
Encrypted:	false
SSDEEP:	96:K/FrJbLusMhnG7afzQXIDcQEc6XcEgcw3mjC+HbHg/5ksS/YyNl1zWDUMsxzLOyy:gRJbLuS0qT6Yj8fHzuiF8Z24IO8pEm
MD5:	71CBE9DB8A641A563400BDEE0C32F425
SHA1:	0B99317F8AD709389D11C6E616BF6D80DA5EB620
SHA-256:	C39620C813584A21DA2D529FD3917678E43926F6645EFFF86B25D831A117D132
SHA-512:	E24DF88E4B621A9AAD1506F6A28068CEDB25898B5055FA95700502F3280028EFD5F87DE90F955A055B005BCD7C505449000A7B20B34C0FD19B946B53749BCC28
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.2.7.8.6.4.1.0.0.3.7.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.2.7.8.6.4.5.0.6.6.2.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.b.c.a.5.6.6.-.1.9.f.6.-.4.a.9.6.-.8.1.5.1.-.5.8.d.f.9.6.c.8.5.2.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.e.4.2.8.a.c.-.2.8.4.2.-.4.b.1.4.-.9.b.d.1.-.c.5.c.f.6.e.a.4.d.9.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.u.w.c.j.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.c.4.-.0.0.0.1.-.0.0.1.5.-.c.0.2.6.-.4.0.0.4.f.4.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.4.8.4.6.9.6.8.2.7.a.d.9.d.3.4.9.2.c.6.9.7.7.8.a.9.4.6.4.1.5.7.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.n.u.w.c.j.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC020.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jul 26 00:37:39 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	30574
Entropy (8bit):	1.808634412283413
Encrypted:	false
SSDEEP:	192:o7U2zhpBOevZjMUnmfsgcUdY2WW+NU5/D:Cl0eRjMUssHDWj
MD5:	940359BCB0FA247E49F1ECAE9E7E94E6
SHA1:	F52A123A6B8BB8C069AC11B95A5D6A0B10471E1D
SHA-256:	5BACEBF635FA81F2EB708583E639EE4CFE6F53BCA6A20924DF2668FD3215889F
SHA-512:	C36B85AEA67742E611B8D611705146E19A62D9372EFD7C0AF10CF2CD8BF9AA0A5D90C6197A7A067328354C841F7DEEF1CE06157D0B2B1D44B1B659033B8C88F1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........f........................d...........................T.......8...........T...........`....m......................................................................................................eJ..............GenuineIntel............T.............f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8294
Entropy (8bit):	3.694402199291567
Encrypted:	false
SSDEEP:	192:R6l7wVeJ5jx6Z6Y2DYSUkcsk6Ggmf4lprq89bDksfPdhm:R6lXJtx6Z6YVSUVbgmf4rDXfPS
MD5:	4A4169D74B633BB4F5357D9BD93BB22D
SHA1:	6AE58AFB5B53A96D063F2D31946BBF184159F51C
SHA-256:	AA55CDCD3A32C6E6803104A802CBACDDA5F073BAD8449D683D222696403994AD
SHA-512:	D2B1CFE0765D82592C151203018B030EF18232F176404A4BE5DC59A2EF50632B3C481D63F466A3B5AD16828F86FE8483A985FBE27F724DAFD2A374CD2072F150
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC11C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.443716499575832
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI9RWWpW8VYdYm8M4JN8UF9c+q8vg7PypM3dMjd:uIjfWI7/37VNJyrOyPyS3dMjd
MD5:	618F121EE52B3DF2691FDCA7AD03E2A5
SHA1:	0EC3519296E53BC6585CE9797C7604BB6D7174E1
SHA-256:	608C2F47BD14F73B29481C7843DC6469718079A07FBF937C6A8971EAC21F4A04
SHA-512:	4F617AD24F599A89DB4FA876FFB13CB2EDC1A52662D80EFB80DEEE683DB41BD9AACC35B115C2A7A89F42428F0DFE0784281AA6C062EC244198A2E6699DAD89F2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="427180" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jul 26 00:37:44 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	167074
Entropy (8bit):	1.8821953255714834
Encrypted:	false
SSDEEP:	384:W5n7ZxSlrBmyf8FASBRCqhUPiNpu5852AcTS1FCFW+BP2Xm+9Pt6PwWKGoW7GCBV:+7LStB10v+6695Oolc+BP2xPALoVKD
MD5:	9735734B477B3614EACFE1D3A2854380
SHA1:	0E3C86E808792E058C69238F990333B951E9A6DB
SHA-256:	4E36061E351C3BD2391CC4FB234CC9B1C26B964278927B50BF144A06BF48D253
SHA-512:	C36F5DD6C636BDE2BF835D6271B3A8ED492E4AB167F966F073163F4BC6CD2DC945F98F5C199544AAD4643BB05C30AEF8B79059E9BA6BD05A0971646EED572E7B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........f............t...............\|.......d...VK..........T.......8...........T............5...V..........\|...........h...............................................................................eJ..............GenuineIntel............T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD406.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6264
Entropy (8bit):	3.7169721668457405
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbgS65JYGDjwXn5aMQU089bxOsfWkGm:R6l7wVeJgS6HYGcpD089bxOsfW7m
MD5:	031CEE0F95A618573C27232B0F852CEA
SHA1:	2A2F1602594552C21760E7CBC3F3916D7C292D62
SHA-256:	064C2CAD41E90B712B309E1E721B01012575C9986D6F1504B5AD8F75FE086758
SHA-512:	161BBD44DF6636526D35FF0207CF2CA6BA4E37C47C6F9050F9FEEA3BBBEEBDF4C1649A65DE22994BABF095A133AF7701FCEE82F5A7291B9BB814E1CDB73BBA71
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD427.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.436928246707926
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI9RWWpW8VYFYm8M4JNiKFanT+q8GurMSg7SYd:uIjfWI7/37VhJNmnTe7gGYd
MD5:	F509B737E0AF76F41385C400689B389A
SHA1:	3CE855845FB222E04642CBF076D55184D9B3F4DB
SHA-256:	885550FB748D6774952911397CD64910F6F585BAE362512FDB20DA84322658BF
SHA-512:	F7E0915D98C431A6461BFFF5D5224096CF6E8F7640E993CA7C881A4C2F37505233384D7B26A21EF7CFE40C1059661C366D14B67BAACE7083DEDF07CD5A0382B6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="427180" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\nuwcjd.exe

Download File

Process:	C:\Users\user\Desktop\7Y18r(212).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 93%, Browse
Joe Sandbox View:	Filename: 7Y18r(216).exe.dll, Detection: malicious, Browse Filename: 7Y18r(223).exe, Detection: malicious, Browse Filename: builder_Release.exe, Detection: malicious, Browse Filename: A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe, Detection: malicious, Browse Filename: BOTBINARY.EXE.exe, Detection: malicious, Browse Filename: BkPack.exe, Detection: malicious, Browse Filename: bss.exe, Detection: malicious, Browse Filename: C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exe, Detection: malicious, Browse Filename: builder_Release.exe, Detection: malicious, Browse Filename: E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4712283606847505
Encrypted:	false
SSDEEP:	6144:fzZfpi6ceLPx9skLmb0fJZWSP3aJG8nAgeiJRMMhA2zX4WABluuN7jDH5S:LZHtJZWOKnMM6bFphj4
MD5:	6940D4EA04F5736D9DAC95A7E5E05BDF
SHA1:	FA51FEA8F0BA8320A4B06A54059A431ACF6DCFBC
SHA-256:	CB1485BEC913421F0089B4A527EC11EBC09F0AB632A465CE05C07A267E70C218
SHA-512:	B0F1D9689E4CC5379403DAB85A8666390D22FEB643594CC40294A8E8CE040621FE00B958C64432836E37DE9F0E6B19773CA6BD5247FF454FFA95B25A03701FA2
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...................................................................................................................................................................................................................................................................................................................................................Pv.0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.435161920948518
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7Y18r(212).exe
File size:	4'981'248 bytes
MD5:	694c32cb655bcdc5ee56749cb64124e8
SHA1:	d9ca3ffeeb391cbdd034861f119f221daa817e31
SHA256:	347b1528f270d85186eca01132cb9b6fdbb818d317d5a17ac4772f2381473095
SHA512:	92f88cf1ac7cb4072ab7707b7ffc77c9499fa76564de205a485e3cdd28265f5d8c405b1c70550a0ebef5698bfe9f22a166f8e011abc49adf532dbd33f3df0b5e
SSDEEP:	24576:BBF6727HeoPO+XC7A9GaF2UdJwdOcRUVVc/2tQnwnoTTPqLvzxczjIBB6/HOy:FOY2UrwgbtT4ixiWy
TLSH:	FD360151CEBF14F9D61A2134686F9B2FAA2126051F38EDEBC3C50D86D61BFF11132929
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........PE...........................M......P....@...........................M............................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8da000
Entrypoint Section:	i]\|u
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 6377756Eh
mov dword ptr [ebp-44h], 652E646Ah
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F34A8B170A5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFB7241Fh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F34A8B171EEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F34A8B170F4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F34A8B170EBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x471000	0x372	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c2000	0x17af0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e5000	0x8c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e3cb9	0x2e3e00	621fc4c1741d1aae19b7cb023966f0d5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2e5000	0x46528	0x30200	8140f90bf0e9cc0d7cee6a4cb1cd7946	False	0.0010805600649350649	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0x32c000	0x116	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/18	0x32d000	0x2dcb3	0x2de00	918736048677cdec5b9be220905fb89d	False	0.001090982629427793	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/30	0x35b000	0x24f98	0x25000	8ae23dda76ac8cf226db64eb890fe038	False	0.001121727195945946	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/43	0x380000	0x13181	0x13200	4fcf65d3ad9691efc0f5963c0c85cc67	False	0.0012637867647058824	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/59	0x394000	0x1eca8	0x1ee00	27849d1d652ac20ecbc3b7ef6c1f1943	False	0.0011465713562753036	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/75	0x3b3000	0x20	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x3b4000	0x22	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/109	0x3b5000	0xbb3a5	0xbb400	828819da66763d8fc856d7b412550fa3	False	0.0009987274699599466	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x471000	0x372	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.symtab	0x472000	0x4f2d5	0x4f400	63f56a2d641b240c6efbfb4d0efccad2	False	0.0010381752760252366	data	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x4c2000	0x17af0	0x17c00	e4ec5319f7265ca24ee5e653a6e35299	False	0.0012027138157894737	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
i]\|u	0x4da000	0x5000	0x4200	596d080a1947377e451a028daf424781	False	0.7774621212121212	data	6.93440401754385	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T02:37:57.191863+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	55977	13.85.23.86	192.168.2.6
2024-07-26T02:37:40.206459+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	51208	53	192.168.2.6	1.1.1.1
2024-07-26T02:38:15.891536+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	58025	52.165.165.26	192.168.2.6
2024-07-26T02:37:41.199113+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	51208	53	192.168.2.6	1.1.1.1
2024-07-26T02:38:16.990641+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	58026	52.165.165.26	192.168.2.6

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 02:37:40.206459045 CEST	51208	53	192.168.2.6	1.1.1.1
Jul 26, 2024 02:37:41.199112892 CEST	51208	53	192.168.2.6	1.1.1.1
Jul 26, 2024 02:37:41.206186056 CEST	53	51208	1.1.1.1	192.168.2.6
Jul 26, 2024 02:37:44.216032982 CEST	53	51208	1.1.1.1	192.168.2.6
Jul 26, 2024 02:38:11.471772909 CEST	53	52777	162.159.36.2	192.168.2.6
Jul 26, 2024 02:38:11.957611084 CEST	49865	53	192.168.2.6	1.1.1.1
Jul 26, 2024 02:38:11.966922998 CEST	53	49865	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 02:37:40.206459045 CEST	192.168.2.6	1.1.1.1	0x143	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 02:37:41.199112892 CEST	192.168.2.6	1.1.1.1	0x143	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jul 26, 2024 02:38:11.957611084 CEST	192.168.2.6	1.1.1.1	0xcb75	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 02:37:44.216032982 CEST	1.1.1.1	192.168.2.6	0x143	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 26, 2024 02:38:11.966922998 CEST	1.1.1.1	192.168.2.6	0xcb75	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	20:37:38
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\7Y18r(212).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7Y18r(212).exe"
Imagebase:	0x400000
File size:	4'981'248 bytes
MD5 hash:	694C32CB655BCDC5EE56749CB64124E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:37:38
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\nuwcjd.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\nuwcjd.exe
Imagebase:	0xb10000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs Detection: 93%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:37:38
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 244
Imagebase:	0x8f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:37:43
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1568
Imagebase:	0x8f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	53.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	87.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008DA044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 008DA223
WriteFile.KERNELBASE(00000000,FFB7241F,00003E00,?,00000000), ref: 008DA252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 008DA256
WinExec.KERNEL32(?,00000005), ref: 008DA262

Strings

Clos, xrefs: 008DA129
lstr, xrefs: 008DA1A7
odul, xrefs: 008DA22D
GetT, xrefs: 008DA188
GetM, xrefs: 008DA0B6
nuwcjd.exe, xrefs: 008DA1FD, 008DA200
catA, xrefs: 008DA1AF
Kern, xrefs: 008DA0F4
el32, xrefs: 008DA0FB
athA, xrefs: 008DA199
Writ, xrefs: 008DA148
.dll, xrefs: 008DA102
dleA, xrefs: 008DA0D0
WinE, xrefs: 008DA110
Crea, xrefs: 008DA169

Memory Dump Source

Source File: 00000000.00000002.2171591596.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2171069418.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171098287.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2171611840.00000000008DB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7Y18r(212).jbxd

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$nuwcjd.exe$odul
API String ID: 2234911746-2528574354
Opcode ID: 22ae9d5cb094e7cec920e355afca94933ede293029b45c6f72bd23c75b5eb4a5
Instruction ID: 2d62b46ae082640fc3f502ce1ccedd0adbae1300d2fb27b685911f92d85b9e46
Opcode Fuzzy Hash: 22ae9d5cb094e7cec920e355afca94933ede293029b45c6f72bd23c75b5eb4a5
Instruction Fuzzy Hash: 8161E774D0121ADBCF28CF94C885AAEB7B4FF45715F2582ABD506AB741C3709E81CB92

Analysis Process: nuwcjd.exePID: 2244, Parent PID: 6276COMMON

Execution Graph

Execution Coverage:	27.5%
Dynamic/Decrypted Code Coverage:	10.5%
Signature Coverage:	23.6%
Total number of Nodes:	296
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00B129E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B12A02
wsprintfA.USER32 ref: 00B12A1A
memset.MSVCRT ref: 00B12A44
lstrlen.KERNEL32(?), ref: 00B12A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00B12A6C
strrchr.MSVCRT ref: 00B12A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00B12A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00B12AAE
memset.MSVCRT ref: 00B12AC6
memset.MSVCRT ref: 00B12ADA
FindFirstFileA.KERNELBASE(?,?), ref: 00B12AEF
memset.MSVCRT ref: 00B12B13
lstrcmpiA.KERNEL32(?,?), ref: 00B12B42
FindNextFileA.KERNELBASE(00000000,?,?,?,?), ref: 00B12B67
FindClose.KERNELBASE(00000000), ref: 00B12B6E

Strings

Documents and Settings, xrefs: 00B12A8D, 00B12A92, 00B12A9A, 00B12AAD
C:\, xrefs: 00B12A2F
%s*, xrefs: 00B12A14

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: cbc49afbefa4bf5cc5dc65aa6329bce29c877bcde56a1f99e701b59057b81ab4
Instruction ID: 4306bdab0b621e1224cdc90f0d9deaba69ab71d3960a937892dc7ec1a48b825c
Opcode Fuzzy Hash: cbc49afbefa4bf5cc5dc65aa6329bce29c877bcde56a1f99e701b59057b81ab4
Instruction Fuzzy Hash: E64175B2404349AFD720DBA0DC89EDB77ECEF84715F444869F945D3111FA34D69887A2

Function 00B11099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B1185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00B11118), ref: 00B11867
Part of subcall function 00B1185B: srand.MSVCRT ref: 00B11878
Part of subcall function 00B1185B: rand.MSVCRT ref: 00B11880
Part of subcall function 00B1185B: srand.MSVCRT ref: 00B11890
Part of subcall function 00B1185B: rand.MSVCRT ref: 00B11894

WinExec.KERNEL32(?,00000005), ref: 00B110F1
lstrlen.KERNEL32(00B14748), ref: 00B110FA
wsprintfA.USER32 ref: 00B1112A
wsprintfA.USER32 ref: 00B11143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00B1115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00B11169
Sleep.KERNEL32 ref: 00B11179

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B11119
ddos.dnsnb8.net, xrefs: 00B110C8, 00B110CF, 00B11140, 00B11168
http://%s:%d/%s/%s, xrefs: 00B110C2, 00B11141
cj/, xrefs: 00B11135
%s%.8X.exe, xrefs: 00B11124

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-762681358
Opcode ID: 69e0a51ecd699d3bd0098d3f0648b0846f6beb783fc4ec65480352ba4ec877a7
Instruction ID: ac0f84f1c75f7911f58b68ddc6a99ead38d19399bf9c44ba32d3ca510af9b346
Opcode Fuzzy Hash: 69e0a51ecd699d3bd0098d3f0648b0846f6beb783fc4ec65480352ba4ec877a7
Instruction Fuzzy Hash: 3C216975900248BEDB20DBA4DC48BEEBBF8EB05755F9188D5E600A3050EB749BD4CFA0

Function 00B11718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\nuwcjd.exe), ref: 00B11729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00B1174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00B1177C
__aulldiv.LIBCMT ref: 00B11796
__aulldiv.LIBCMT ref: 00B117A8

Strings

Time, xrefs: 00B1173D, 00B11766
SOFTWARE\GTplus, xrefs: 00B11742, 00B1176B
C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B11722

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\nuwcjd.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-4140730086
Opcode ID: 12b11c1bcc5ec2c22ed3a180a4c5818cdfa3e5807fb8e2f49dcc9efca1b22b6a
Instruction ID: e3de16dc5f9775570bfd460bc2efc5f4630f32bd94e57067eaa9579c5c9a5be4
Opcode Fuzzy Hash: 12b11c1bcc5ec2c22ed3a180a4c5818cdfa3e5807fb8e2f49dcc9efca1b22b6a
Instruction Fuzzy Hash: 2F1136B5A00209BBDB109B94CC85FEF7BFCEB44B14F908555FA01B6280D6719E948760

Function 00B16076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001800,00001000,00000004), ref: 00B160BE
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 00B160DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B16189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B161A5

Memory Dump Source

Source File: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 668c373869f473e2b0fefbbac2edcf4f609f1323634012cd4e69227d5d3c7b2c
Instruction ID: 0e8befa0361c9edb981d3145b3048b8b39040675b5ff5af7ec3c26e6f85734b6
Opcode Fuzzy Hash: 668c373869f473e2b0fefbbac2edcf4f609f1323634012cd4e69227d5d3c7b2c
Instruction Fuzzy Hash: 621244B25087849FDB328F24CC85BEA7BF5EF12310F9845EED8858B292D774A980C755

Function 00B12B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B12BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00B12BB4
GetDriveTypeA.KERNELBASE(?), ref: 00B12BD3
CreateThread.KERNELBASE(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00B12BEE
lstrlen.KERNEL32(?), ref: 00B12BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00B12C16
CreateThread.KERNEL32(00000000,00000000,00B12845,00000000,00000000,00000000), ref: 00B12C3A

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 4f375dc4b8b7246f774cfadda79a8f48b697b10b3171f36164b187b1d3fccc02
Instruction ID: 89b4fff271ffe78109d8db893c7060cc60d393bc756e00e1937a4b14aabe66ea
Opcode Fuzzy Hash: 4f375dc4b8b7246f774cfadda79a8f48b697b10b3171f36164b187b1d3fccc02
Instruction Fuzzy Hash: 1A21D5B180414CAFEB209F64AC84EEF7BEDFB09744B940525F942D3161EB208E56CB60

Function 00B11E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE(?,00000080,?,00B132B0,00000164,00B12986,?), ref: 00B11EB9
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00B11ECD
SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00B11EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00B11F07
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000400), ref: 00B11F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00B1201E
memset.MSVCRT ref: 00B120D8
memset.MSVCRT ref: 00B120EA
memcpy.MSVCRT ref: 00B1222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B12238
FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B1224A
SetFilePointer.KERNELBASE(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B122C6
SetEndOfFile.KERNELBASE(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B122CB
SetFilePointer.KERNELBASE(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B122DD
WriteFile.KERNELBASE(000000FF,00B14008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B122F7
WriteFile.KERNELBASE(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B1230D
FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B12322
UnmapViewOfFile.KERNEL32(?,?,00B132B0,00000164,00B12986,?), ref: 00B12340
FindCloseChangeNotification.KERNELBASE(?,?,00B132B0,00000164,00B12986,?), ref: 00B1234E
CloseHandle.KERNEL32(000000FF,?,00B132B0,00000164,00B12986,?), ref: 00B12359

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: File$CloseView$ChangeFindNotificationPointer$CreateUnmapWritememset$AttributesFlushHandleMappingmemcpy
String ID:
API String ID: 307705342-0
Opcode ID: b51601acf7334a410916437849e358d967c880d8b19289002139cc595c5bbc7d
Instruction ID: 73667d79f11fe36069f2208b1cd54d5ce613cfc00172a005b129250848d1665a
Opcode Fuzzy Hash: b51601acf7334a410916437849e358d967c880d8b19289002139cc595c5bbc7d
Instruction Fuzzy Hash: A7F13871900209EFCB20DFA8D885AEDBBF5FF08314F90856AE519A7661D730AE91CF54

Function 00B11973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00B14E5C,00000000,C:\Users\user\AppData\Local\Temp\nuwcjd.exe), ref: 00B11992
CreateFileA.KERNELBASE(00B14E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00B119BA
Sleep.KERNEL32(00000064), ref: 00B119C6
wsprintfA.USER32 ref: 00B119EC
CopyFileA.KERNEL32(00B14E5C,?,00000000), ref: 00B11A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B11A1E
GetFileSize.KERNEL32(00B14E5C,00000000), ref: 00B11A2C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00B11A46
ReadFile.KERNELBASE(00B14E5C,00B14E60,00000000,?,00000000), ref: 00B11A65
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00B11A90
DeleteFileA.KERNEL32(?), ref: 00B11AA7
VirtualFree.KERNEL32(00B14E60,00000000,00008000), ref: 00B11AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B119DB
2, xrefs: 00B119CF
%s%.8X.data, xrefs: 00B119E6
C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B1197C

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nuwcjd.exe
API String ID: 2523042076-1062935941
Opcode ID: 154e24b8f5861f20ac6817dedd42b0fd3b44ce46fd21a740259451aeca28693b
Instruction ID: b51dd20f953bdafd018d05399b4eb3af1ae79c2b57bd5d5a13adb6d4d08878e2
Opcode Fuzzy Hash: 154e24b8f5861f20ac6817dedd42b0fd3b44ce46fd21a740259451aeca28693b
Instruction Fuzzy Hash: ED513D71911219AFCF109F98CC88AEEBFF9EF09754F9049A9F625E6190D7309E90CB50

Function 00B128B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B128D3
wsprintfA.USER32 ref: 00B128F7
memset.MSVCRT ref: 00B12925
wsprintfA.USER32 ref: 00B12940

Part of subcall function 00B129E2: memset.MSVCRT ref: 00B12A02
Part of subcall function 00B129E2: wsprintfA.USER32 ref: 00B12A1A
Part of subcall function 00B129E2: memset.MSVCRT ref: 00B12A44
Part of subcall function 00B129E2: lstrlen.KERNEL32(?), ref: 00B12A54
Part of subcall function 00B129E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00B12A6C
Part of subcall function 00B129E2: strrchr.MSVCRT ref: 00B12A7C
Part of subcall function 00B129E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00B12A9F
Part of subcall function 00B129E2: lstrlen.KERNEL32(Documents and Settings), ref: 00B12AAE
Part of subcall function 00B129E2: memset.MSVCRT ref: 00B12AC6
Part of subcall function 00B129E2: memset.MSVCRT ref: 00B12ADA
Part of subcall function 00B129E2: FindFirstFileA.KERNELBASE(?,?), ref: 00B12AEF
Part of subcall function 00B129E2: memset.MSVCRT ref: 00B12B13

strrchr.MSVCRT ref: 00B12959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00B12974

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B129B3
%s\, xrefs: 00B1293A
%s%s, xrefs: 00B128F1
exe, xrefs: 00B1296D
rar, xrefs: 00B12988

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1791786966
Opcode ID: db9f6e71730fd2e9cd3c88a799df72187f4b5309fd47957bf46e35cbe5af1481
Instruction ID: 82483476a338cda750d0fc9536d7f30676c49407d1eb06bd365202539fd1f493
Opcode Fuzzy Hash: db9f6e71730fd2e9cd3c88a799df72187f4b5309fd47957bf46e35cbe5af1481
Instruction Fuzzy Hash: 9D31937294031D6BDB20A768DC89FDA77ECDB14750F8404E2F945E3081FAB49AD48BA0

Function 00B11638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00B1164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00B1165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\nuwcjd.exe,00000104), ref: 00B1166E
CreateThread.KERNELBASE(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 00B116AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00B116BD

Part of subcall function 00B1139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\nuwcjd.exe), ref: 00B113BC
Part of subcall function 00B1139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00B113DA
Part of subcall function 00B1139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00B11448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nuwcjd.exe), ref: 00B116E5

Strings

C:\Windows\system32, xrefs: 00B11656
C:\Users\user\AppData\Local\Temp\, xrefs: 00B11644
Documents and Settings, xrefs: 00B11696
C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B11662, 00B11667, 00B116DD

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nuwcjd.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3325892672
Opcode ID: 296dd4406f0b1cb9f717947690fc45bd8b191f9cdcc2408d03f6558cac5e1e79
Instruction ID: 59fc262b9ee93444df7dfebdce1a2aeded1db6be680fe9b19274cf1b9bcf5194
Opcode Fuzzy Hash: 296dd4406f0b1cb9f717947690fc45bd8b191f9cdcc2408d03f6558cac5e1e79
Instruction Fuzzy Hash: B711D671501114BBCF205BA8AD4DFDB3EEDEB09761FD044A4F309921A0EA7189C0C7A1

Function 00B12C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B12C57

Part of subcall function 00B11973: PathFileExistsA.KERNELBASE(00B14E5C,00000000,C:\Users\user\AppData\Local\Temp\nuwcjd.exe), ref: 00B11992
Part of subcall function 00B11973: CreateFileA.KERNELBASE(00B14E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00B119BA
Part of subcall function 00B11973: Sleep.KERNEL32(00000064), ref: 00B119C6
Part of subcall function 00B11973: wsprintfA.USER32 ref: 00B119EC
Part of subcall function 00B11973: CopyFileA.KERNEL32(00B14E5C,?,00000000), ref: 00B11A00
Part of subcall function 00B11973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B11A1E
Part of subcall function 00B11973: GetFileSize.KERNEL32(00B14E5C,00000000), ref: 00B11A2C
Part of subcall function 00B11973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00B11A46
Part of subcall function 00B11973: ReadFile.KERNELBASE(00B14E5C,00B14E60,00000000,?,00000000), ref: 00B11A65

CreateThread.KERNELBASE(00000000,00000000,00B12B8C,00000000,00000000,00000000), ref: 00B12C99
WaitForMultipleObjects.KERNEL32(00000001,00B116BA,00000001,000000FF,?,00B116BA,00000000), ref: 00B12CAC
VirtualFree.KERNEL32(00AF0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\nuwcjd.exe,00B14E5C,00B14E60,?,00B116BA,00000000), ref: 00B12CC2

Strings

C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B12C69

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\nuwcjd.exe
API String ID: 2042498389-289599860
Opcode ID: dffa758c3a69993228c352ac541d63525fc3c5008dd7c312170b6b30afcba7f1
Instruction ID: 8898615ce52702a0c6900bdf6eba8a9c8e8e94790ac2538b8f4586d945d30402
Opcode Fuzzy Hash: dffa758c3a69993228c352ac541d63525fc3c5008dd7c312170b6b30afcba7f1
Instruction Fuzzy Hash: 6B0184766412247BD7149795DC0EEDF7EECEF05B60FD08150B605DA1D1EAA09990C7F0

Function 00B114E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00B11504
VirtualQuery.KERNEL32(00B114E1,?,0000001C), ref: 00B11525
ExitProcess.KERNEL32 ref: 00B1157A

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 6ff5399a284267e86694b6d8170b9713b40046dd570cfb296cca6a41c0a54cf3
Instruction ID: d8e5b5b792ef1d7813971eddcdf7253f0c41f344dd0d049ebaedd1941a10dc8e
Opcode Fuzzy Hash: 6ff5399a284267e86694b6d8170b9713b40046dd570cfb296cca6a41c0a54cf3
Instruction Fuzzy Hash: 90114871901205DFCB20DFADB886AF977F8EB94710BA0847AE602A3150EB348D81DB50

Function 00B11915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B11933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00B11947

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 59b123457b100646e807be2b0d534ad207e0f0645c8146f8c1dcfc21eb30cd8a
Instruction ID: a41d24d13543241a6c0a83c45392bcfecafc7c7ad4a1f9db8f1b0243b1671058
Opcode Fuzzy Hash: 59b123457b100646e807be2b0d534ad207e0f0645c8146f8c1dcfc21eb30cd8a
Instruction Fuzzy Hash: BAF06832200209ABDB20DE2ADC04BE777ECEB547A1F408976F626D5050E730D686CBB0

Function 00B16159 Relevance: 2.6, APIs: 2, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 00B160DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B16189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B161A5

Memory Dump Source

Source File: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: bb24bd534f81e4389fe96f4ee43071a241772b8d06ea67700a2d036d8fe43670
Instruction ID: c0d6b2200c306f4d6c80b67fe57a11e9c03cca508ce2d56cd33db51b74ee69e1
Opcode Fuzzy Hash: bb24bd534f81e4389fe96f4ee43071a241772b8d06ea67700a2d036d8fe43670
Instruction Fuzzy Hash: 66116A32A00649CFCF318F58CC857ED37E1FF05301FA944A9DE89AB292DA716994CB94

Non-executed Functions

Function 00B1119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\nuwcjd.exe,?,?,?,?,?,?,00B113EF), ref: 00B111AB
OpenProcessToken.ADVAPI32(00000000,00000028,00B113EF,?,?,?,?,?,?,00B113EF), ref: 00B111BB
AdjustTokenPrivileges.ADVAPI32(00B113EF,00000000,?,00000010,00000000,00000000), ref: 00B111EB
CloseHandle.KERNEL32(00B113EF), ref: 00B111FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B113EF), ref: 00B11203

Strings

C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B111A5

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\nuwcjd.exe
API String ID: 75692138-289599860
Opcode ID: b4201974eec3c83f7592bf8ee84b8a5e0fee5630235b4f98d712174175faf714
Instruction ID: ed47b85c80bbadf4c975954a4a48837ae0aed5b320f1d732fa0b2ae0485b9e74
Opcode Fuzzy Hash: b4201974eec3c83f7592bf8ee84b8a5e0fee5630235b4f98d712174175faf714
Instruction Fuzzy Hash: 1901D675900209EFDB00DFD4C989AEEBBF8FB08745F508569E605A2150EB715F449B50

Function 00B1139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\nuwcjd.exe), ref: 00B113BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00B113DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00B11448

Part of subcall function 00B1119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\nuwcjd.exe,?,?,?,?,?,?,00B113EF), ref: 00B111AB
Part of subcall function 00B1119F: OpenProcessToken.ADVAPI32(00000000,00000028,00B113EF,?,?,?,?,?,?,00B113EF), ref: 00B111BB
Part of subcall function 00B1119F: AdjustTokenPrivileges.ADVAPI32(00B113EF,00000000,?,00000010,00000000,00000000), ref: 00B111EB
Part of subcall function 00B1119F: CloseHandle.KERNEL32(00B113EF), ref: 00B111FA
Part of subcall function 00B1119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B113EF), ref: 00B11203

Strings

SeDebugPrivilege, xrefs: 00B113D3
C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B113A8

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\nuwcjd.exe$SeDebugPrivilege
API String ID: 4123949106-2010471490
Opcode ID: 23ed6242e94d2ad69543a23b4bb253feff03982e27b6feca40b2b2cea337a2a8
Instruction ID: 2da2aa8268f39246316fec1234871a66cc7dd47b39d1dea7fb476bd7220b8942
Opcode Fuzzy Hash: 23ed6242e94d2ad69543a23b4bb253feff03982e27b6feca40b2b2cea337a2a8
Instruction Fuzzy Hash: 94313271D00209EAEF209BA99C45FEEBBF8EB54B04F9045A9E614F2141E6705E85CF60

Function 00B16D00 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: b079faf611eecc3df593e7a96d7c2dc926a2bacbb5a287ac08269351c0461bcb
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: E381A171204B418FC728CF28D890AAAB7E2EFD5314F54CA6DD0EAC7755D734A989CB44

Function 00B1239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239
sleepfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strstr.MSVCRT ref: 00B123CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B12464
GetFileSize.KERNEL32(00000000,00000000), ref: 00B12472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00B124A8
memset.MSVCRT ref: 00B124B9
strrchr.MSVCRT ref: 00B124C9
wsprintfA.USER32 ref: 00B124DE
strrchr.MSVCRT ref: 00B124ED
memset.MSVCRT ref: 00B124F2
memset.MSVCRT ref: 00B12505
wsprintfA.USER32 ref: 00B12524
Sleep.KERNEL32(000007D0), ref: 00B12535
Sleep.KERNEL32(000007D0), ref: 00B1255D
memset.MSVCRT ref: 00B1256E
wsprintfA.USER32 ref: 00B12585
memset.MSVCRT ref: 00B125A6
wsprintfA.USER32 ref: 00B125CA
Sleep.KERNEL32(000007D0), ref: 00B125D0
Sleep.KERNEL32(000007D0,?,?), ref: 00B125E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B125FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00B12611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00B12642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00B1265B
SetEndOfFile.KERNEL32 ref: 00B1266D
CloseHandle.KERNEL32(00000000), ref: 00B12676
RemoveDirectoryA.KERNEL32(?), ref: 00B12681

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B123B1, 00B123B6, 00B124CD
%s\, xrefs: 00B1257F
%s%s, xrefs: 00B124D8
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00B125C4
-ibck, xrefs: 00B125BA
%s X -ibck "%s" "%s\", xrefs: 00B1251E

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-774930870
Opcode ID: 832c159ac8b85274db9d363b9ed87d3934ac8a4853c3c8657a9f4e97cd9677af
Instruction ID: 9cc533c845b71fcbbebf9baf2be1f17ac351c95b6bcd9cc78e9a3bb859385538
Opcode Fuzzy Hash: 832c159ac8b85274db9d363b9ed87d3934ac8a4853c3c8657a9f4e97cd9677af
Instruction Fuzzy Hash: 0581C1B1504344ABD710DF60DC89FEB7BECEB88B04F80455AFA44D31A0E7749A998BA5

Function 00B1274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00B12766
memset.MSVCRT ref: 00B12774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00B12787
wsprintfA.USER32 ref: 00B127AB

Part of subcall function 00B1185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00B11118), ref: 00B11867
Part of subcall function 00B1185B: srand.MSVCRT ref: 00B11878
Part of subcall function 00B1185B: rand.MSVCRT ref: 00B11880
Part of subcall function 00B1185B: srand.MSVCRT ref: 00B11890
Part of subcall function 00B1185B: rand.MSVCRT ref: 00B11894

wsprintfA.USER32 ref: 00B127C6
CopyFileA.KERNEL32(?,00B14C80,00000000), ref: 00B127D4
wsprintfA.USER32 ref: 00B127F4

Part of subcall function 00B11973: PathFileExistsA.KERNELBASE(00B14E5C,00000000,C:\Users\user\AppData\Local\Temp\nuwcjd.exe), ref: 00B11992
Part of subcall function 00B11973: CreateFileA.KERNELBASE(00B14E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00B119BA
Part of subcall function 00B11973: Sleep.KERNEL32(00000064), ref: 00B119C6
Part of subcall function 00B11973: wsprintfA.USER32 ref: 00B119EC
Part of subcall function 00B11973: CopyFileA.KERNEL32(00B14E5C,?,00000000), ref: 00B11A00
Part of subcall function 00B11973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B11A1E
Part of subcall function 00B11973: GetFileSize.KERNEL32(00B14E5C,00000000), ref: 00B11A2C
Part of subcall function 00B11973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00B11A46
Part of subcall function 00B11973: ReadFile.KERNELBASE(00B14E5C,00B14E60,00000000,?,00000000), ref: 00B11A65

DeleteFileA.KERNEL32(?,?,00B14E54,00B14E58), ref: 00B1281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00B14E54,00B14E58), ref: 00B12832

Strings

C:\Windows\system32, xrefs: 00B127E3
\WinRAR\Rar.exe, xrefs: 00B12793
C:\Users\user\AppData\Local\Temp\, xrefs: 00B127B6
%s\%s, xrefs: 00B127EE
%s%s, xrefs: 00B127A5
%s%.8x.exe, xrefs: 00B127BB
c_31892.nls, xrefs: 00B127DE

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3099098879
Opcode ID: f4e41c27fd714e25c365bf188c51e0e776e19f1c2fa4c4d3705a7714fd38a745
Instruction ID: 9108c2cf1aff3d5da0c1f6c67d51e38994a7c10b6399f957719992f976014e90
Opcode Fuzzy Hash: f4e41c27fd714e25c365bf188c51e0e776e19f1c2fa4c4d3705a7714fd38a745
Instruction Fuzzy Hash: 6D2130B694021C7BDB10E7A49C89FDB77ECEB14B44F8045E1B644E3051F6709FD48AA0

Function 00B11581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00B11118), ref: 00B11867
Part of subcall function 00B1185B: srand.MSVCRT ref: 00B11878
Part of subcall function 00B1185B: rand.MSVCRT ref: 00B11880
Part of subcall function 00B1185B: srand.MSVCRT ref: 00B11890
Part of subcall function 00B1185B: rand.MSVCRT ref: 00B11894

wsprintfA.USER32 ref: 00B115AA
wsprintfA.USER32 ref: 00B115C6
lstrlen.KERNEL32(?), ref: 00B115D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00B115EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00B11609
CloseHandle.KERNEL32(00000000), ref: 00B11612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00B1162D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B11599
%s%.8x.bat, xrefs: 00B115A4
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00B115C0
open, xrefs: 00B11627
C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B1158A, 00B115B3, 00B115B8, 00B115B9

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nuwcjd.exe$open
API String ID: 617340118-2048616475
Opcode ID: d6f45179cf5ac1f6568c09b556c462ac7da570394dfa032bfbad31e542275eb5
Instruction ID: b9537a54b0260a63198895e8eec78d91c8d071a3e06dcaa99b9cdd9dd68f35d7
Opcode Fuzzy Hash: d6f45179cf5ac1f6568c09b556c462ac7da570394dfa032bfbad31e542275eb5
Instruction Fuzzy Hash: B3115476A411287ED72097A49C8DEEB7AECDF59B51F800491F949E3050EA749BC4CBB0

Function 00B1120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00B11400), ref: 00B11226
GetProcAddress.KERNEL32(00000000), ref: 00B1122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00B11400), ref: 00B1123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00B11400), ref: 00B11250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\nuwcjd.exe,?,?,?,?,00B11400), ref: 00B1129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\nuwcjd.exe,?,?,?,?,00B11400), ref: 00B112B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nuwcjd.exe,?,?,?,?,00B11400), ref: 00B112F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00B11400), ref: 00B1130A

Strings

ntdll.dll, xrefs: 00B11219
ZwQuerySystemInformation, xrefs: 00B11212
C:\Users\user\AppData\Local\Temp\nuwcjd.exe, xrefs: 00B11262

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\nuwcjd.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-2506007772
Opcode ID: ab79e78412be0259e7abfdc222463389d77acd8072cbf31946f1da8ef9dc941d
Instruction ID: 14bdcb41d26dd3d4395aec837a22675293066c9c19229c865597de279149d8b9
Opcode Fuzzy Hash: ab79e78412be0259e7abfdc222463389d77acd8072cbf31946f1da8ef9dc941d
Instruction Fuzzy Hash: 6E21C371605311ABD7209B69DC48BEBBAE8FB8AF00F904D58F645E7240D770DA8487E5

Function 00B11000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00B110E8,?), ref: 00B11018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400,?,http://%s:%d/%s/%s,00B110E8,?), ref: 00B11029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00B11038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00B110E8,?), ref: 00B1104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00B110E8,?), ref: 00B11075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00B110E8,?), ref: 00B1108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00B110E8,?), ref: 00B1108E

Strings

ddos.dnsnb8.net, xrefs: 00B11026
http://%s:%d/%s/%s, xrefs: 00B11000

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 2e3f56fe16f6980411aea292d1e413db91f6a737f97a1369d30871a8041e2ea3
Instruction ID: 768b180e02377a7ac1285536677c80fa7c7f618e47af90be0d03fd4fc9d5252e
Opcode Fuzzy Hash: 2e3f56fe16f6980411aea292d1e413db91f6a737f97a1369d30871a8041e2ea3
Instruction Fuzzy Hash: F7015EB150025CBFE6205F649C8CFABBAECDB48B99F414929F345A3190EA705E848A60

Function 00B1185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00B11118), ref: 00B11867
srand.MSVCRT ref: 00B11878
rand.MSVCRT ref: 00B11880
srand.MSVCRT ref: 00B11890
rand.MSVCRT ref: 00B11894

Strings

ddos.dnsnb8.net, xrefs: 00B11862
http://%s:%d/%s/%s, xrefs: 00B11860

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: 038828a9bd3cb101bf6389c68b8743ad199ca2f88549425defa1ad42a3d5fb64
Instruction ID: 435fabe6acdec04f9a233a2eca457e2b99aa2f3316e07ea5034575ae2b1b4f18
Opcode Fuzzy Hash: 038828a9bd3cb101bf6389c68b8743ad199ca2f88549425defa1ad42a3d5fb64
Instruction Fuzzy Hash: 3FE09277A00218BBDB00A7A9EC4ADDEBBECDE88561B100566F600D3250F971E9448AB4

Function 00B12692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,00B129DB,?,00000001), ref: 00B126A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,00B129DB,?,00000001), ref: 00B126B5
lstrlen.KERNEL32(?), ref: 00B126C4
??2@YAPAXI@Z.MSVCRT ref: 00B126CE
lstrcpy.KERNEL32(00000004,?), ref: 00B126E3
lstrcpy.KERNEL32(?,00000004), ref: 00B1271F
??3@YAXPAX@Z.MSVCRT ref: 00B1272D
SetEvent.KERNEL32 ref: 00B1273C

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 37bc0fe139ab2d5e4c023342535dd0f55c6d98b0bddb83a0a0248fa9e9f5413e
Instruction ID: 6ea3f625b3c7e968e18c687209e3e6499f6ab33afe02d27e9daa61d3c8434256
Opcode Fuzzy Hash: 37bc0fe139ab2d5e4c023342535dd0f55c6d98b0bddb83a0a0248fa9e9f5413e
Instruction Fuzzy Hash: 31119D36500200EFCB219F14EC489DB7BE9FB88B207E48065F858C7260EB308ED5CB90

Function 00B11B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00B11BCD
rand.MSVCRT ref: 00B11BD8
memset.MSVCRT ref: 00B11C43
memcpy.MSVCRT ref: 00B11C4F
lstrcat.KERNEL32(?,.exe), ref: 00B11C5D

Strings

.exe, xrefs: 00B11C57
shRNoTVqwpBtJvUOdLJooKYfUedYICWGrPyzbeDRpKEQOSjjOJgNDymCFWFlAcrIsnbcvqIBljpLrhDEgWMNBnubvdiZSsHxUkmVltEcwuwHfTGHPXQZhGaZainSMzYtKzXxxQXyAPVgqRkFLAkiMamfeCuT, xrefs: 00B11B8A, 00B11B9C, 00B11C15, 00B11C49

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$shRNoTVqwpBtJvUOdLJooKYfUedYICWGrPyzbeDRpKEQOSjjOJgNDymCFWFlAcrIsnbcvqIBljpLrhDEgWMNBnubvdiZSsHxUkmVltEcwuwHfTGHPXQZhGaZainSMzYtKzXxxQXyAPVgqRkFLAkiMamfeCuT
API String ID: 122620767-178692489
Opcode ID: 36b9d235441d866c991c9e373da29d3f2715897c381a5c28523b6473ab0ee936
Instruction ID: a4c6128e8935de73cecb885234c4d209b11eb1c0e167c8f6d217dd61fd0a71c9
Opcode Fuzzy Hash: 36b9d235441d866c991c9e373da29d3f2715897c381a5c28523b6473ab0ee936
Instruction Fuzzy Hash: E6219E22E081906ED615133C7C41BEA2FC4CFA7B10FE684E9F6854B1A2E6640DC582A0

Function 00B1189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00B118B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 00B118D3
CloseHandle.KERNEL32(00B12549), ref: 00B118E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B118F0
GetExitCodeProcess.KERNEL32(?,00B12549), ref: 00B11901
CloseHandle.KERNEL32(?), ref: 00B1190A

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: f54f8d83478d128e98383649d0c714560b70f14d8be01dcd0dd64f114cadad86
Instruction ID: a6afb06e443f7f6b11f2ca1108507d2e58d879dc93b8ad963d85d6a020748f9b
Opcode Fuzzy Hash: f54f8d83478d128e98383649d0c714560b70f14d8be01dcd0dd64f114cadad86
Instruction Fuzzy Hash: 92017176901128BBCB216B95DC4CEDF7FBDEF85760F504021FA15A61A0D6354A58CAA0

Function 00B11319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00B11334
GetProcAddress.KERNEL32(00000000), ref: 00B1133B
memset.MSVCRT ref: 00B11359

Strings

ntdll.dll, xrefs: 00B1132F
NtSystemDebugControl, xrefs: 00B1132A

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 1101e45f93aa8ca1824f265882c5f3255735df20b1069cbed8f53a2f3e74a290
Instruction ID: 8767dcd59e490de29898871b2a8798c817e0026f5d0a1f248fd400006047e050
Opcode Fuzzy Hash: 1101e45f93aa8ca1824f265882c5f3255735df20b1069cbed8f53a2f3e74a290
Instruction Fuzzy Hash: 7401ADB1A0030DBFDB10DF98AC84AEFBBF8FB04704F8045AAFA11A2150E7708695CA54

Function 00B11DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00B11E0B
lstrcpy.KERNEL32(?,00000001), ref: 00B11E1C
strrchr.MSVCRT ref: 00B11E2B
lstrcmpiA.KERNEL32(?,00B14488), ref: 00B11E48
lstrlen.KERNEL32(00B14488), ref: 00B11E53

Memory Dump Source

Source File: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 51b4975f46ad015af7f4e1c477414145a2347735fea9622edee0a7ee72b082da
Instruction ID: f5df2e1c813a3d7cf137c586a3fee7b131525e65bc0e2fa157a27005f1b77a50
Opcode Fuzzy Hash: 51b4975f46ad015af7f4e1c477414145a2347735fea9622edee0a7ee72b082da
Instruction Fuzzy Hash: E801D6B390421A6FEB2097A4EC48BD67BDCDB04310F9444A6EA45E3090EF749AC4CBA0

Function 00B16014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00B1603C
GetProcAddress.KERNEL32(00000000,00B16064), ref: 00B1604F

Strings

kernel32.dll, xrefs: 00B1603B

Memory Dump Source

Source File: 00000001.00000002.2203200093.0000000000B16000.00000040.00000001.01000000.00000004.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000001.00000002.2203010810.0000000000B10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203124982.0000000000B11000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203158058.0000000000B13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2203178569.0000000000B14000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b10000_nuwcjd.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 78f32ee08e75b66f738abb6375095a6ff87836801837d7b1dbccd7c7d1175aaa
Instruction ID: f421761b1832f9577a7c70f38a9414405b1f1e4e929ca3a7a2078ca12d386b9b
Opcode Fuzzy Hash: 78f32ee08e75b66f738abb6375095a6ff87836801837d7b1dbccd7c7d1175aaa
Instruction Fuzzy Hash: 67F0F6B11402898FDF70CE64CC84BDE37E4EB05700F90047AEA09CB241CB348685CB14

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7Y18r(212).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7Y18r(212).exe_4e85da955ca18bb64608bd36b4037462285ed_8ee35320_9fce3981-bf1c-4f7c-b9a5-47751f43c810\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nuwcjd.exe_7689929733b9f7a719f893b7fd9ced26bf8ebf_59aa2b61_74bca566-19f6-4a96-8151-58df96c852f8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC020.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC11C.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD406.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD427.tmp.xml

C:\Users\user\AppData\Local\Temp\nuwcjd.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
7Y18r(212).exe

Function 008DA044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 00B129E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00B11099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Function 00B11718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 00B16076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Function 00B12B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Function 00B11E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Function 00B11973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Function 00B128B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Function 00B11638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Function 00B12C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Function 00B114E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Function 00B11915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Function 00B16159 Relevance: 2.6, APIs: 2, Instructions: 58
memoryCOMMON