Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KRITENESIAS.exe

Overview

General Information

Sample name:KRITENESIAS.exe
Analysis ID:1542884
MD5:e6e3f0819cd71162daebb192061b78de
SHA1:a03a28f1c6f0329ad2af6aa6cce1e6058e5df8ee
SHA256:f58196e6f2428a361e9c3c004c3f340e5f4ea281c16ecc5222dd10bc02098dfc
Tags:exeuser-KnownStormChaser
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Infects the VBR (Volume Boot Record) of the hard disk
Loading BitLocker PowerShell Module
Uses cmd line tools excessively to alter registry or file data
Writes directly to the primary disk partition (DR0)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • KRITENESIAS.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\KRITENESIAS.exe" MD5: E6E3F0819CD71162DAEBB192061B78DE)
    • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7952 cmdline: C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • reg.exe (PID: 7968 cmdline: reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 7984 cmdline: C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • reg.exe (PID: 8000 cmdline: reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 8016 cmdline: C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • reg.exe (PID: 8032 cmdline: reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 8188 cmdline: C:\Windows\system32\cmd.exe /c powershell wininit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • powershell.exe (PID: 7176 cmdline: powershell wininit MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell wininit, CommandLine: powershell wininit, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell wininit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8188, ParentProcessName: cmd.exe, ProcessCommandLine: powershell wininit, ProcessId: 7176, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: KRITENESIAS.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: KRITENESIAS.exeReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
Source: KRITENESIAS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: KRITENESIAS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\idk\Downloads\SHOTHIRIUM\SHOTHIRIUM\compile\SHOTHIRIUM.pdb!! source: KRITENESIAS.exe
Source: Binary string: C:\Users\idk\Downloads\SHOTHIRIUM\SHOTHIRIUM\compile\SHOTHIRIUM.pdb source: KRITENESIAS.exe
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF102D GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,_libm_sse2_sin_precise,BitBlt,Sleep,Sleep,PatBlt,_libm_sse2_sin_precise,BitBlt,Sleep,Sleep,Sleep,0_2_00BF102D

Operating System Destruction

barindex
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF2D00 CreateFileW on filename \\.\PhysicalDrive00_2_00BF2D00
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF1D30 CreateFileW on filename \\.\PhysicalDrive00_2_00BF1D30
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF30650_2_00BF3065
Source: KRITENESIAS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: classification engineClassification label: mal84.evad.winEXE@18/6@0/0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4fwagcx.owr.ps1Jump to behavior
Source: KRITENESIAS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KRITENESIAS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: KRITENESIAS.exeReversingLabs: Detection: 52%
Source: unknownProcess created: C:\Users\user\Desktop\KRITENESIAS.exe "C:\Users\user\Desktop\KRITENESIAS.exe"
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell wininit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell wininit
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / fJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell wininitJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell wininitJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: ksuser.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: avrt.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: audioses.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeSection loaded: midimap.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: KRITENESIAS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KRITENESIAS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KRITENESIAS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KRITENESIAS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KRITENESIAS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KRITENESIAS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: KRITENESIAS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: KRITENESIAS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\idk\Downloads\SHOTHIRIUM\SHOTHIRIUM\compile\SHOTHIRIUM.pdb!! source: KRITENESIAS.exe
Source: Binary string: C:\Users\idk\Downloads\SHOTHIRIUM\SHOTHIRIUM\compile\SHOTHIRIUM.pdb source: KRITENESIAS.exe
Source: KRITENESIAS.exeStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF107D push ecx; ret 0_2_00BF44B3

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: GetConsoleWindow,ShowWindow,MessageBoxW,MessageBoxW,MessageBoxW,CreateFileW,WriteFile,CloseHandle,system,system,system,system,Sleep,Sleep,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,system, \\.\PhysicalDrive00_2_00BF2D00
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: CreateFileW,WriteFile,CloseHandle, \\.\PhysicalDrive00_2_00BF1D30
Infects the VBR (Volume Boot Record) of the hard disk
Source: C:\Users\user\Desktop\KRITENESIAS.exeFile written: \Device\Harddisk0\DR0 offset: 512Jump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Writes directly to the primary disk partition (DR0)
Source: C:\Users\user\Desktop\KRITENESIAS.exeFile written: \Device\Harddisk0\DR0 offset: 512 length: 512Jump to behavior

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: GetConsoleWindow,ShowWindow,MessageBoxW,MessageBoxW,MessageBoxW,CreateFileW,WriteFile,CloseHandle,system,system,system,system,Sleep,Sleep,CreateThread,CreateThread,Sleep,TerminateThread,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,CreateThread,Sleep,TerminateThread,system, \\.\PhysicalDrive00_2_00BF2D00
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: CreateFileW,WriteFile,CloseHandle, \\.\PhysicalDrive00_2_00BF1D30

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5458Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4275Jump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exe TID: 7728Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exe TID: 7728Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exe TID: 7728Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exe TID: 7728Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exe TID: 7728Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exe TID: 7728Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exe TID: 7728Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7460Thread sleep count: 5458 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep count: 4275 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\KRITENESIAS.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF4152 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BF4152
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF37BE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BF37BE
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF4152 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BF4152
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF1203 SetUnhandledExceptionFilter,0_2_00BF1203
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / fJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell wininitJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell wininitJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\KRITENESIAS.exeCode function: 0_2_00BF3FE4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00BF3FE4

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		4
Bootkit		11
Process Injection		1
Modify Registry		OS Credential Dumping1
System Time Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory2
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script4
Bootkit		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials22
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542884 Sample: KRITENESIAS.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 84 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 AI detected suspicious sample 2->35 7 KRITENESIAS.exe 1 2->7         started        process3 file4 29 \Device\Harddisk0\DR0, DOS/MBR 7->29 dropped 39 Writes directly to the primary disk partition (DR0) 7->39 41 Infects the VBR (Volume Boot Record) of the hard disk 7->41 43 Contains functionality to access PhysicalDrive, possible boot sector overwrite 7->43 45 Contains functionality to infect the boot sector 7->45 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        16 cmd.exe 1 7->16         started        18 2 other processes 7->18 signatures5 process6 signatures7 20 powershell.exe 20 11->20         started        47 Uses cmd line tools excessively to alter registry or file data 13->47 23 reg.exe 1 13->23         started        25 reg.exe 1 16->25         started        27 reg.exe 1 18->27         started        process8 signatures9 37 Loading BitLocker PowerShell Module 20->37

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KRITENESIAS.exe53%ReversingLabsWin32.Trojan.Nekark
KRITENESIAS.exe100%AviraTR/AD.Nekark.njzzd

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542884
Start date and time:2024-10-26 19:22:11 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:KRITENESIAS.exe
Detection:MAL
Classification:mal84.evad.winEXE@18/6@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 13
  • Number of non-executed functions: 10
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateKey calls found.
  • VT rate limit hit for: KRITENESIAS.exe

Simulations

Behavior and APIs

TimeTypeDescription
13:23:19API Interceptor7x Sleep call for process: KRITENESIAS.exe modified
13:23:20API Interceptor22x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):64
Entropy (8bit):1.1510207563435464
Encrypted:false
SSDEEP:3:NlllulPki/llllZ:NllUcylll
MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
Malicious:false
Reputation:moderate, very likely benign file
Preview:@...e.................................^..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ar1l3lt.qch.ps1

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vc5qcrh.qhc.psm1

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4fwagcx.owr.ps1

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwzw5bs5.20n.psm1

Download File
Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

\Device\Harddisk0\DR0

Download File
Process:C:\Users\user\Desktop\KRITENESIAS.exe
File Type:DOS/MBR boot sector
Category:dropped
Size (bytes):512
Entropy (8bit):2.4115103828740536
Encrypted:false
SSDEEP:3:Fpip6lr8HslbS+JthWUZlW7apQSurthosXjJPyzOTUG+KRSlD9ppFKfu4Rjmy776:1rlfJaA4apOrVzEzOAG+KcrpwpRT2
MD5:F6BB1995D1A19449E8A2251B866CC1EB
SHA1:599F4EDA2C999869A18CFB239C431848BB68530D
SHA-256:9FC2133ECA4A9B62EEBAD4231C10A1236DFE9FC810CFC6FC32AF40798114DCD4
SHA-512:7643B5A2ABEB4941DD486994106F385D0E4BD0B2B036D98FFD79BFB94C83E2119793F5EB436F720A499BAE740D0EDAE19AEE66B9E9EE7B5A8E1EEC069801A453
Malicious:true
Preview:..................1..........D....Ds1<.s...$.........u....<@r.$?........)..................D..............C.................}.....2...........................................................................................................................................................................................................................................................................................................................................................................U.

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):5.255161402824075
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:KRITENESIAS.exe
File size:62'464 bytes
MD5:e6e3f0819cd71162daebb192061b78de
SHA1:a03a28f1c6f0329ad2af6aa6cce1e6058e5df8ee
SHA256:f58196e6f2428a361e9c3c004c3f340e5f4ea281c16ecc5222dd10bc02098dfc
SHA512:3012ae1c4d513c9968a56e24cb67875e0c590157d43c0efaea85cadd276f2774843f3f1234b6ededebda0d9a795534611210bae1863e06f5fd63a28c76c8618e
SSDEEP:768:HE3sS2x+nv/bTVi9uRL/DrICdT1968HiqqLPpAF76R:HE3D2xivfcERL3ICF19xrsBA
TLSH:0B539D61F9D0CA23DABE507858FA99B54B0F79F12B3590E726F582030A950F64D3CB1E
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;.B.Z...Z...Z..."G..Z.......Z.......Z.......Z.......Z..."...Z...Z...Z.......Z....+..Z...ZC..Z.......Z..Rich.Z.................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x401014
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66FE7FD6 [Thu Oct 3 11:28:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:5f3f244e263ccb2f29dbe2d3ca3219ef

Entrypoint Preview

Instruction
jmp 00007FD258F1CA5Eh
jmp 00007FD258F1CA97h
jmp 00007FD258F1D3EEh
jmp 00007FD258F1D3A1h
jmp 00007FD258F1CBC1h
jmp 00007FD258F1AA83h
jmp 00007FD258F1D3D4h
jmp 00007FD258F1DA0Ah
jmp 00007FD258F1D5D6h
jmp 00007FD258F1CFD8h
jmp 00007FD258F1DB55h
jmp 00007FD258F1D7DAh
jmp 00007FD258F1B710h
jmp 00007FD258F1C29Bh
jmp 00007FD258F1D31Dh
jmp 00007FD258F1D96Ah
jmp 00007FD258F1D75Eh
jmp 00007FD258F1DB2Ch
jmp 00007FD258F1C9D4h
jmp 00007FD258F1CEF3h
jmp 00007FD258F1D4F4h
jmp 00007FD258F1D6E3h
jmp 00007FD258F1D67Eh
jmp 00007FD258F1D2E4h
jmp 00007FD258F1A884h
jmp 00007FD258F1CF1Ch
jmp 00007FD258F1D2CBh
jmp 00007FD258F1AD85h
jmp 00007FD258F1CF4Eh
jmp 00007FD258F1DAEDh
jmp 00007FD258F1D7C2h
jmp 00007FD258F1D2B9h
jmp 00007FD258F1D064h
jmp 00007FD258F1DADCh
jmp 00007FD258F1C952h
jmp 00007FD258F1CFADh
jmp 00007FD258F1CE69h
jmp 00007FD258F1D2A4h
jmp 00007FD258F1C201h
jmp 00007FD258F1D2FCh

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x103700x104.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x446.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000x40c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xd5180x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd4300x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x100000x370.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x4b670x4c00e4e7e70029fe0dbbdfd63558889acbd9False0.29230057565789475data4.715046865917844IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x60000x812d0x8200142a81423f305578335613a76d4600efFalse0.5147836538461539data5.16686909462714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xf0000x6040x200660d8b2c37170823ce59350554670244False0.08203125data0.41483924795914456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x100000x10450x1200d2ce4d08be34c60ca359c41e810bed9cFalse0.2732204861111111data3.590673332741307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg0x120000x10e0x20010fbdb9bf5c6b522e91f378441bbf238False0.03515625data0.11055713125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x130000x4460x60037e512946488cd0e5357990014534ab4False0.18424479166666666data2.1806754812875706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x140000x58d0x600960ebaf8d2b3a9f3a4bb737d2c5c2fd2False0.6263020833333334data5.16732875469798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x131700x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

Imports

DLLImport
KERNEL32.dllGetSystemTimeAsFileTime, GetCurrentThreadId, InitializeSListHead, QueryPerformanceCounter, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, GetConsoleWindow, TerminateThread, CreateThread, Sleep, CloseHandle, WriteFile, GetCurrentProcessId, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsProcessorFeaturePresent, GetModuleHandleW
USER32.dllGetWindowRect, MessageBoxW, GetDesktopWindow, GetDC, ShowWindow, GetSystemMetrics
GDI32.dllStretchBlt, SelectObject, PatBlt, PlgBlt, DeleteObject, CreateSolidBrush, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
WINMM.dllwaveOutPrepareHeader, waveOutWrite, waveOutOpen, waveOutUnprepareHeader, waveOutClose
VCRUNTIME140.dll__current_exception_context, __std_type_info_destroy_list, _except_handler4_common, __current_exception, memset
api-ms-win-crt-utility-l1-1-0.dllrand
api-ms-win-crt-runtime-l1-1-0.dll_initterm_e, _cexit, _configure_narrow_argv, _seh_filter_dll, _initialize_onexit_table, __p___argv, _execute_onexit_table, _crt_atexit, _crt_at_quick_exit, _controlfp_s, terminate, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _register_thread_local_exe_atexit_callback, __p___argc, exit, _register_onexit_function, _set_app_type, _seh_filter_exe, _exit, system, _c_exit
api-ms-win-crt-time-l1-1-0.dll_time64
api-ms-win-crt-math-l1-1-0.dll_libm_sse2_sin_precise, __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll_set_new_mode

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:23:09
Start date:26/10/2024
Path:C:\Users\user\Desktop\KRITENESIAS.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\KRITENESIAS.exe"
Imagebase:0xbf0000
File size:62'464 bytes
MD5 hash:E6E3F0819CD71162DAEBB192061B78DE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:13:23:09
Start date:26/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:13:23:17
Start date:26/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:13:23:17
Start date:26/10/2024
Path:C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):true
Commandline:reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:0x4e0000
File size:59'392 bytes
MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:13:23:17
Start date:26/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:7
Start time:13:23:17
Start date:26/10/2024
Path:C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):true
Commandline:reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
Imagebase:0x4e0000
File size:59'392 bytes
MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:13:23:17
Start date:26/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:13:23:17
Start date:26/10/2024
Path:C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):true
Commandline:reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f
Imagebase:0x4e0000
File size:59'392 bytes
MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:13:23:20
Start date:26/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c powershell wininit
Imagebase:0x410000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:12
Start time:13:23:20
Start date:26/10/2024
Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):true
Commandline:powershell wininit
Imagebase:0x5b0000
File size:433'152 bytes
MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:31.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:18.4%
    Total number of Nodes:207
    Total number of Limit Nodes:9
    execution_graph 898 bf37be SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 901 bf353c 905 bf1203 901->905 903 bf3541 904 bf3546 _set_new_mode 903->904 905->903 906 bf4343 SetUnhandledExceptionFilter 905->906 906->903 907 bf44b9 908 bf122b 907->908 909 bf44c7 _except_handler4_common 908->909 912 bf37b2 913 bf1230 ___security_init_cookie 5 API calls 912->913 914 bf37b7 913->914 914->914 885 bf29f0 886 bf1055 885->886 887 bf29fd waveOutOpen memset 886->887 888 bf2a80 887->888 889 bf2ae0 888->889 890 bf2bb3 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose 888->890 891 bf2c5a 890->891 915 bf3db0 916 bf3dbc 915->916 917 bf3dc0 915->917 918 bf3dda _initialize_onexit_table 917->918 920 bf3df8 ___scrt_is_nonwritable_in_current_image 917->920 919 bf3de9 _initialize_onexit_table 918->919 918->920 919->920 921 bf1d30 CreateFileW WriteFile CloseHandle 942 bf106e 943 bf3782 _set_app_type 942->943 944 bf3ced 946 bf3cf5 944->946 945 bf3d12 _seh_filter_dll 946->945 922 bf42ac memset GetStartupInfoW 923 bf42d2 922->923 947 bf10eb __RTC_Initialize 948 bf4401 947->948 949 bf2ae8 950 bf2aa0 949->950 951 bf2ae0 950->951 952 bf2bb3 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose 950->952 953 bf2c5a 952->953 954 bf1168 955 bf40c6 __std_type_info_destroy_list 954->955 924 bf1127 925 bf3740 924->925 926 bf3745 _configure_narrow_argv 925->926 956 bf3f67 957 bf3f7d _register_onexit_function 956->957 958 bf3f76 _crt_atexit 956->958 959 bf3f88 957->959 958->959 960 bf3065 IsProcessorFeaturePresent 961 bf3089 960->961 892 bf20e0 893 bf1055 892->893 894 bf20ed waveOutOpen memset 893->894 897 bf2170 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose 894->897 896 bf23d7 897->896 927 bf10a0 928 bf3d2e 927->928 929 bf3d37 _execute_onexit_table 928->929 930 bf3d43 928->930 931 bf3f9f 932 bf3fab _crt_at_quick_exit 931->932 933 bf3fb1 _register_onexit_function 931->933 962 bf345d _set_app_type 982 bf1087 962->982 964 bf346a _set_fmode 965 bf10af 964->965 966 bf3475 __p__commode 965->966 967 bf3485 966->967 969 bf34f1 967->969 984 bf1005 __RTC_Initialize 967->984 970 bf3494 971 bf34a3 _configure_narrow_argv 970->971 971->969 972 bf34af 971->972 986 bf105a 972->986 974 bf34b4 975 bf34bd __setusermatherr 974->975 976 bf34c8 974->976 975->976 988 bf11fe 976->988 978 bf34d7 979 bf34dc _configthreadlocale 978->979 980 bf34e8 979->980 980->969 981 bf34ec _initialize_narrow_environment 980->981 981->969 982->964 983 bf40ab 982->983 983->964 984->970 985 bf43ca 984->985 985->970 986->974 987 bf40b7 InitializeSListHead 986->987 987->974 988->978 989 bf40d8 _controlfp_s 988->989 990 bf40f0 989->990 990->978 782 bf3699 791 bf11e5 782->791 784 bf36a1 785 bf36d7 _exit 784->785 786 bf36a5 784->786 789 bf3740 785->789 787 bf36ab _c_exit 786->787 788 bf36b0 786->788 787->788 790 bf3745 _configure_narrow_argv 789->790 791->784 792 bf42f1 GetModuleHandleW 791->792 793 bf42fd 792->793 793->784 991 bf4355 992 bf438c 991->992 994 bf4367 991->994 993 bf4394 __current_exception __current_exception_context terminate 994->992 994->993 995 bf3755 _get_initial_narrow_environment __p___argv __p___argc 996 bf3773 995->996 794 bf3552 813 bf1230 ___security_init_cookie 794->813 796 bf36ca 797 bf36d1 exit 796->797 799 bf36d7 _exit 797->799 798 bf3557 798->796 800 bf359f _initterm_e 798->800 805 bf35e8 798->805 801 bf3740 799->801 802 bf35cb _initterm 800->802 803 bf35ba 800->803 804 bf3745 _configure_narrow_argv 801->804 802->805 806 bf363c _get_initial_narrow_environment __p___argv __p___argc 805->806 808 bf3634 _register_thread_local_exe_atexit_callback 805->808 807 bf3658 806->807 809 bf11e5 GetModuleHandleW 807->809 808->806 810 bf3662 809->810 810->797 811 bf3666 810->811 811->803 812 bf366a _cexit 811->812 812->803 813->798 814 bf4044 813->814 816 bf4063 814->816 817 bf3fe4 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 814->817 816->798 817->816 997 bf4152 IsProcessorFeaturePresent 998 bf4168 997->998 999 bf4174 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 998->999 1000 bf4257 999->1000 1001 bf2b52 1002 bf2aa0 1001->1002 1002->1002 1003 bf2bb3 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose 1002->1003 1005 bf2ae0 1002->1005 1004 bf2c5a 1003->1004 824 bf1d90 825 bf1055 824->825 826 bf1d9d waveOutOpen memset 825->826 827 bf1e32 826->827 827->827 828 bf1f86 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose 827->828 829 bf202f 828->829 935 bf1490 ShowWindow 1006 bf1650 GetDC GetSystemMetrics GetSystemMetrics _time64 1007 bf16a0 11 API calls 1006->1007 1007->1007 1008 bf177d 1007->1008 1009 bf11cc 1010 bf37a2 1009->1010 1011 bf37a7 _set_fmode 1010->1011 936 bf100a 937 bf378d 936->937 938 bf3793 __p__commode 937->938 1012 bf10c8 1013 bf3c71 1012->1013 1014 bf3c7a 1013->1014 1015 bf3c86 _configure_narrow_argv 1013->1015 1016 bf3c94 _initialize_narrow_environment 1015->1016 1017 bf3c91 1015->1017 1016->1014 939 bf3685 _seh_filter_exe 836 bf2d00 GetConsoleWindow ShowWindow MessageBoxW 837 bf2eea 836->837 838 bf2d33 MessageBoxW 836->838 838->837 839 bf2d4c 8 API calls 838->839 840 bf123f 839->840 873 bf11db 839->873 841 bf2dd1 Sleep TerminateThread CreateThread 840->841 842 bf110e 841->842 869 bf1244 841->869 843 bf2dfb Sleep TerminateThread CreateThread 842->843 844 bf1050 843->844 868 bf1212 14 API calls 843->868 845 bf2e23 Sleep TerminateThread CreateThread 844->845 846 bf1136 845->846 858 bf102d 845->858 847 bf2e4b Sleep TerminateThread CreateThread 846->847 848 bf1050 847->848 854 bf1212 847->854 849 bf2e73 Sleep TerminateThread CreateThread 848->849 850 bf123f 849->850 881 bf11d6 849->881 851 bf2e9b Sleep TerminateThread CreateThread 850->851 852 bf121c 851->852 876 bf109b 851->876 853 bf2ec3 Sleep TerminateThread system 852->853 855 bf19e0 GetDC GetSystemMetrics GetSystemMetrics 854->855 856 bf1a10 11 API calls 855->856 857 bf1a96 856->857 857->856 859 bf17f0 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics GetDC 858->859 860 bf1833 CreateCompatibleBitmap SelectObject 859->860 864 bf184b 860->864 861 bf1951 Sleep 861->864 862 bf1880 _libm_sse2_sin_precise 862->864 864->861 864->862 865 bf18c4 Sleep 864->865 866 bf18e0 PatBlt _libm_sse2_sin_precise 864->866 867 bf1941 Sleep 864->867 865->866 866->864 867->864 870 bf15c0 GetDC GetSystemMetrics GetSystemMetrics 869->870 871 bf15e0 PatBlt 870->871 872 bf160c 871->872 872->871 874 bf14b0 GetDC GetSystemMetrics GetSystemMetrics 873->874 875 bf14e0 13 API calls 874->875 875->875 877 bf1b60 GetDC GetSystemMetrics GetSystemMetrics 876->877 878 bf1b93 877->878 879 bf1ba0 14 API calls 878->879 880 bf1c87 rand rand rand rand 878->880 879->878 880->878 882 bf1ad0 GetDC GetSystemMetrics GetSystemMetrics 881->882 883 bf1b00 rand rand rand rand 882->883 884 bf1b3d 883->884 884->883

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00BF46BE 1 Function_00BF37BE 2 Function_00BF10BE 3 Function_00BF3EBD 4 Function_00BF44B9 5 Function_00BF37B2 67 Function_00BF1230 5->67 6 Function_00BF3DB0 17 Function_00BF3B98 6->17 7 Function_00BF45AC 8 Function_00BF42AC 9 Function_00BF40A8 10 Function_00BF10A5 11 Function_00BF40A4 12 Function_00BF24A0 13 Function_00BF10A0 14 Function_00BF3F9F 15 Function_00BF109B 16 Function_00BF3699 37 Function_00BF11E5 16->37 18 Function_00BF4797 19 Function_00BF4597 20 Function_00BF1096 21 Function_00BF1490 22 Function_00BF1190 23 Function_00BF2690 24 Function_00BF1D90 25 Function_00BF1087 26 Function_00BF3685 27 Function_00BF1181 28 Function_00BF11FE 29 Function_00BF44F6 30 Function_00BF29F0 31 Function_00BF37F0 32 Function_00BF3CED 33 Function_00BF3BED 34 Function_00BF45ED 35 Function_00BF10EB 36 Function_00BF2AE8 38 Function_00BF2AE4 39 Function_00BF3FE4 40 Function_00BF20E0 41 Function_00BF11E0 42 Function_00BF48DE 43 Function_00BF11DB 44 Function_00BF48D8 45 Function_00BF10D7 46 Function_00BF11D6 47 Function_00BF48D5 48 Function_00BF11D1 49 Function_00BF3ED0 50 Function_00BF48CF 51 Function_00BF10CD 52 Function_00BF48CC 53 Function_00BF11CC 53->25 54 Function_00BF3FCA 55 Function_00BF10C8 56 Function_00BF453F 57 Function_00BF3A3D 58 Function_00BF353C 58->51 88 Function_00BF1203 58->88 59 Function_00BF103C 60 Function_00BF113B 61 Function_00BF3939 62 Function_00BF1037 63 Function_00BF3F35 64 Function_00BF4634 65 Function_00BF1032 66 Function_00BF3030 67->39 68 Function_00BF1D30 69 Function_00BF102D 70 Function_00BF112C 71 Function_00BF3929 72 Function_00BF1127 73 Function_00BF1226 74 Function_00BF1023 75 Function_00BF1221 76 Function_00BF451E 77 Function_00BF101E 78 Function_00BF4613 79 Function_00BF3013 80 Function_00BF1212 81 Function_00BF3F11 82 Function_00BF450E 83 Function_00BF410D 84 Function_00BF100A 85 Function_00BF4709 86 Function_00BF4107 87 Function_00BF1005 89 Function_00BF4502 90 Function_00BF2D00 90->15 90->43 90->46 90->69 90->80 117 Function_00BF1244 90->117 91 Function_00BF467E 92 Function_00BF107D 93 Function_00BF117C 94 Function_00BF1177 95 Function_00BF1073 96 Function_00BF106E 97 Function_00BF116D 97->10 98 Function_00BF3D69 99 Function_00BF1168 100 Function_00BF4568 101 Function_00BF3F67 102 Function_00BF3065 103 Function_00BF4761 104 Function_00BF345D 104->25 104->27 104->28 104->41 104->45 104->60 104->70 104->73 104->74 104->87 104->93 105 Function_00BF105A 104->105 106 Function_00BF4355 107 Function_00BF3755 108 Function_00BF3552 108->37 108->48 108->65 108->67 108->77 109 Function_00BF4152 110 Function_00BF2B52 111 Function_00BF1650 112 Function_00BF2B4E 113 Function_00BF104B 114 Function_00BF114A 114->10 115 Function_00BF1046 116 Function_00BF4646 118 Function_00BF1041 119 Function_00BF4440

    Executed Functions

    Function 00BF2D00 Relevance: 73.7, APIs: 33, Strings: 9, Instructions: 169threadsleepprocessCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetConsoleWindow.KERNELBASE(00000000), ref: 00BF2D07
    • ShowWindow.USER32(00000000), ref: 00BF2D0E
    • MessageBoxW.USER32(00000000,The program you have just executed is a malware that can harm your deviceAnd make it unbootableBy continuing you agreeThat thi,WARNING,00000034), ref: 00BF2D28
    • MessageBoxW.USER32(00000000,IF YOU MADE IT TO THYIS POINT AND YOU STILL DONT KNOW WHAT IS GOING ONTHIS IS MALWARE THAT WILLDESTROY YOUR COMPUTERTHE AUTHOR,LAST WARNING,00000034), ref: 00BF2D41
    • CreateFileW.KERNELBASE(\\.\PhysicalDrive0,10000000,00000003,00000000,00000003,00000000,00000000), ref: 00BF2D62
    • WriteFile.KERNELBASE(00000000,00BF6B30,00000200,?,00000000), ref: 00BF2D7B
    • CloseHandle.KERNEL32(00000000), ref: 00BF2D82
    • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f), ref: 00BF2D93
    • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f), ref: 00BF2D9A
    • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f), ref: 00BF2DA1
    • Sleep.KERNELBASE(000005DC), ref: 00BF2DB1
    • CreateThread.KERNELBASE(00000000,00000000,Function_000011DB,00000000,00000000,00000000), ref: 00BF2DC8
    • Sleep.KERNELBASE(000088B8), ref: 00BF2DD6
    • TerminateThread.KERNELBASE(00000000,00000000), ref: 00BF2DE1
    • CreateThread.KERNELBASE(00000000,00000000,Function_00001244,00000000,00000000,00000000), ref: 00BF2DF2
    • Sleep.KERNELBASE(000088B8), ref: 00BF2E00
    • TerminateThread.KERNELBASE(00000000,00000000), ref: 00BF2E09
    • CreateThread.KERNELBASE(00000000,00000000,Function_00001212,00000000,00000000,00000000), ref: 00BF2E1A
    • Sleep.KERNELBASE(000088B8), ref: 00BF2E28
    • TerminateThread.KERNELBASE(00000000,00000000), ref: 00BF2E31
    • CreateThread.KERNELBASE(00000000,00000000,Function_0000102D,00000000,00000000,00000000), ref: 00BF2E42
    • Sleep.KERNELBASE(000088B8), ref: 00BF2E50
    • TerminateThread.KERNELBASE(00000000,00000000), ref: 00BF2E59
    • CreateThread.KERNELBASE(00000000,00000000,Function_00001212,00000000,00000000,00000000), ref: 00BF2E6A
    • Sleep.KERNELBASE(000088B8), ref: 00BF2E78
    • TerminateThread.KERNELBASE(00000000,00000000), ref: 00BF2E81
    • CreateThread.KERNELBASE(00000000,00000000,Function_000011D6,00000000,00000000,00000000), ref: 00BF2E92
    • Sleep.KERNELBASE(000088B8), ref: 00BF2EA0
    • TerminateThread.KERNELBASE(00000000,00000000), ref: 00BF2EA9
    • CreateThread.KERNELBASE(00000000,00000000,Function_0000109B,00000000,00000000,00000000), ref: 00BF2EBA
    • Sleep.KERNELBASE(000088B8), ref: 00BF2EC8
    • TerminateThread.KERNELBASE(00000000,00000000), ref: 00BF2ED1
    • system.API-MS-WIN-CRT-RUNTIME-L1-1-0(powershell wininit), ref: 00BF2ED8
    Strings
    • reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f, xrefs: 00BF2D95
    • \\.\PhysicalDrive0, xrefs: 00BF2D5D
    • reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f, xrefs: 00BF2D9C
    • The program you have just executed is a malware that can harm your deviceAnd make it unbootableBy continuing you agreeThat thi, xrefs: 00BF2D21
    • IF YOU MADE IT TO THYIS POINT AND YOU STILL DONT KNOW WHAT IS GOING ONTHIS IS MALWARE THAT WILLDESTROY YOUR COMPUTERTHE AUTHOR, xrefs: 00BF2D3A
    • reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f, xrefs: 00BF2D8E
    • powershell wininit, xrefs: 00BF2ED3
    • WARNING, xrefs: 00BF2D1C
    • LAST WARNING, xrefs: 00BF2D35
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: Thread$CreateSleep$Terminate$system$FileMessageWindow$CloseConsoleHandleShowWrite
    • String ID: IF YOU MADE IT TO THYIS POINT AND YOU STILL DONT KNOW WHAT IS GOING ONTHIS IS MALWARE THAT WILLDESTROY YOUR COMPUTERTHE AUTHOR$LAST WARNING$The program you have just executed is a malware that can harm your deviceAnd make it unbootableBy continuing you agreeThat thi$WARNING$\\.\PhysicalDrive0$powershell wininit$reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem / v DisableCMD / t REG_DWORD / d 1 / f$reg add HKCUHKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f$reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 1 /f
    • API String ID: 1486687036-177777972
    • Opcode ID: fd52004fef1496db8c0183c385de27daa3dc9fb4037a97ba94ba14d516f1acbe
    • Instruction ID: 208e9e6546b416265ceacb021c7589f9c58711f2a18ce6b8ba01de5c06bba3a8
    • Opcode Fuzzy Hash: fd52004fef1496db8c0183c385de27daa3dc9fb4037a97ba94ba14d516f1acbe
    • Instruction Fuzzy Hash: E3413031BC0718B6F13077B96C0BF6D6A94AB49F46F324890F708BF1D18DE46904866E
    Function 00BF102D Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 124windowsleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemMetrics.USER32(00000000), ref: 00BF1801
    • GetSystemMetrics.USER32(00000001), ref: 00BF1808
    • GetSystemMetrics.USER32(00000000), ref: 00BF180F
    • GetSystemMetrics.USER32(00000001), ref: 00BF1815
    • GetDC.USER32(00000000), ref: 00BF1824
    • CreateCompatibleDC.GDI32(00000000), ref: 00BF182D
    • CreateCompatibleBitmap.GDI32(00000000,00000000,?), ref: 00BF183D
    • SelectObject.GDI32(00000000,00000000), ref: 00BF1845
    • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00BF185F
    • _libm_sse2_sin_precise.API-MS-WIN-CRT-MATH-L1-1-0(00000000,00CC0020), ref: 00BF1886
    • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00CC0020), ref: 00BF18A2
    • Sleep.KERNELBASE(0000000A), ref: 00BF18CB
    • PatBlt.GDI32(00000000,00000000,?,?,?,005A0049), ref: 00BF18F0
    • _libm_sse2_sin_precise.API-MS-WIN-CRT-MATH-L1-1-0(00CC0020), ref: 00BF1900
    • BitBlt.GDI32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00CC0020), ref: 00BF191F
    • Sleep.KERNEL32(0000000A), ref: 00BF1943
    • Sleep.KERNEL32(0000000A), ref: 00BF1966
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: MetricsSystem$Sleep$CompatibleCreate_libm_sse2_sin_precise$BitmapObjectSelect
    • String ID: @L(t$@M(t
    • API String ID: 2592621613-4150930626
    • Opcode ID: e72d0976a61ce07f3adc350325d049bdb8d293e31e2d3262a54700b91c87e4f7
    • Instruction ID: 5bde315562436f43ca99ae2f178594d500e6c8a7378a73be75d121810437c8cf
    • Opcode Fuzzy Hash: e72d0976a61ce07f3adc350325d049bdb8d293e31e2d3262a54700b91c87e4f7
    • Instruction Fuzzy Hash: 93415935D4071CEADB129FA49C86FAFBB78EF0AB44F224154F605BB190DB705A81DB90
    Function 00BF109B Relevance: 47.4, APIs: 25, Strings: 2, Instructions: 138windowsleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetDC.USER32(00000000), ref: 00BF1B6B
    • GetSystemMetrics.USER32(00000000), ref: 00BF1B7E
    • GetSystemMetrics.USER32(00000001), ref: 00BF1B85
    • _time64.API-MS-WIN-CRT-TIME-L1-1-0(?), ref: 00BF1B8D
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,00000000,?,00000000,00CC0020), ref: 00BF1BAE
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 00BF1BBB
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 00BF1BC4
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?), ref: 00BF1BCA
    • StretchBlt.GDI32(00000000,?,?,?,?,?), ref: 00BF1BD2
    • Sleep.KERNELBASE(00000032,?,?,?,?,?), ref: 00BF1BDA
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?), ref: 00BF1BE0
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?), ref: 00BF1BED
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?), ref: 00BF1C00
    • CreateSolidBrush.GDI32(00000000), ref: 00BF1C0E
    • SelectObject.GDI32(?,00000000), ref: 00BF1C1B
    • PatBlt.GDI32(?,00000000,00000001,?,00000000,005A0049), ref: 00BF1C2F
    • DeleteObject.GDI32(00000000), ref: 00BF1C36
    • PatBlt.GDI32(?,00000000,00000001,?,00000000,005A0049), ref: 00BF1C4B
    • BitBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,FFFFFC7C,00330008), ref: 00BF1C65
    • BitBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,-00000384,00330008), ref: 00BF1C81
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(001100A6,?,?,?,?,?), ref: 00BF1C92
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?), ref: 00BF1C9D
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,00000000,?,?,?,?,?,?,?,?), ref: 00BF1CAD
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?), ref: 00BF1CB8
    • BitBlt.GDI32(?,?,?,?,?,?,?), ref: 00BF1CC4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: rand$MetricsObjectSystem$BrushCreateDeleteSelectSleepSolidStretch_time64
    • String ID: @M(t$`GTw
    • API String ID: 1692169890-2363908596
    • Opcode ID: c7cce151e983b6d865dbfb312c5096265e3c4d384d4e0ae2a4dd29af88c50054
    • Instruction ID: fb33ce2f0d00595f1f99d7e83f28cc6073a156d6c2c46d3c6b2b240c7842afa0
    • Opcode Fuzzy Hash: c7cce151e983b6d865dbfb312c5096265e3c4d384d4e0ae2a4dd29af88c50054
    • Instruction Fuzzy Hash: A5418FB5A40218BBE71157A18C8AF7F3E7DEB88B44F224459F605A71D0CAB86D01DAB1
    Function 00BF11DB Relevance: 24.1, APIs: 16, Instructions: 80windowsleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetDC.USER32(00000000), ref: 00BF14BB
    • GetSystemMetrics.USER32(00000000), ref: 00BF14CE
    • GetSystemMetrics.USER32(00000001), ref: 00BF14D5
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,00000000,?,00000000,00CC0020), ref: 00BF14EF
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001,?), ref: 00BF14FD
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1505
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 00BF150C
    • StretchBlt.GDI32(00000000,?,?,?), ref: 00BF1513
    • Sleep.KERNELBASE(00000032,?,?,?), ref: 00BF151B
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?), ref: 00BF1521
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?), ref: 00BF152E
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?), ref: 00BF153D
    • CreateSolidBrush.GDI32(00000000), ref: 00BF1547
    • SelectObject.GDI32(?,00000000), ref: 00BF1554
    • PatBlt.GDI32(?,00000000,00000001,?,?,005A0049), ref: 00BF156B
    • DeleteObject.GDI32(00000000), ref: 00BF1572
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: rand$MetricsObjectSystem$BrushCreateDeleteSelectSleepSolidStretch
    • String ID:
    • API String ID: 1641008235-0
    • Opcode ID: 1c262c06cf3951d7d5be976d1eff35496e9ecb796b6ea9b26803e72e218ad88d
    • Instruction ID: 390e9c995b51455f81703e8e07fe597d658db78a6107d2362a4511b638ec02a2
    • Opcode Fuzzy Hash: 1c262c06cf3951d7d5be976d1eff35496e9ecb796b6ea9b26803e72e218ad88d
    • Instruction Fuzzy Hash: D5217576D41214BBE71097B58C89FBE7EB9EB88B54F264054FA05A3280CA78AD00DB65
    Function 00BF3552 Relevance: 15.2, APIs: 10, Instructions: 215COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00BF1230: ___get_entropy.LIBCMT ref: 00BF405E
    • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(00BF630C,00BF6618,00BFDFE8,00000014), ref: 00BF35AF
    • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(00BF6000,00BF6208,00BFDFE8,00000014), ref: 00BF35D5
    • _register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00BFDFE8,00000014), ref: 00BF3636
    • _get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0(00BFDFE8,00000014), ref: 00BF363C
    • __p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00BFDFE8,00000014), ref: 00BF3643
    • __p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0(00BFDFE8,00000014), ref: 00BF364A
    • _cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00BF366A
    • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000007,00BFDFE8,00000014), ref: 00BF36D2
    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,00BFDFE8,00000014), ref: 00BF36DA
    • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 00BF3746
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: ___get_entropy__p___argc__p___argv_cexit_configure_narrow_argv_exit_get_initial_narrow_environment_initterm_initterm_e_register_thread_local_exe_atexit_callbackexit
    • String ID:
    • API String ID: 1580609069-0
    • Opcode ID: 74a45d0ec4e2a54cb647d76727238615a3d36483f62b37f7cae34d3376ed937a
    • Instruction ID: 3ea5f4f01158f62bddb15522918f0ab6e6a300ea02a6f72963e4296044874e70
    • Opcode Fuzzy Hash: 74a45d0ec4e2a54cb647d76727238615a3d36483f62b37f7cae34d3376ed937a
    • Instruction Fuzzy Hash: 7931043164428DBADA20BB7C98026BE37D1DF52B60F2408E9F741BB3D2CF214A4CCA55
    Function 00BF2690 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 93 bf2690-bf272f call bf1055 waveOutOpen memset 96 bf2735-bf275f 93->96 97 bf2872-bf2874 93->97 99 bf2760 96->99 98 bf2877-bf287a 97->98 101 bf287b-bf288a 98->101 100 bf2761-bf277e 99->100 102 bf27b0-bf27b5 100->102 103 bf2780-bf2788 100->103 101->97 104 bf288c-bf2897 101->104 105 bf27ba-bf27bc 102->105 103->105 106 bf278a-bf2791 103->106 107 bf2898-bf289d 104->107 112 bf27ee-bf27f6 105->112 113 bf27be-bf27c6 105->113 109 bf27db 106->109 110 bf2793-bf2797 106->110 108 bf289e-bf2930 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose call bf10d2 107->108 127 bf2935-bf293b 108->127 109->100 118 bf27dd 109->118 115 bf2799-bf27ad 110->115 116 bf27e1-bf27ec 110->116 114 bf27f8 112->114 113->114 117 bf27c8-bf27c9 113->117 121 bf27cb-bf27cf 114->121 122 bf27fa-bf27fc 114->122 115->102 116->112 117->121 119 bf27e0 118->119 119->116 125 bf2819-bf281d 121->125 126 bf27d1-bf27d5 121->126 122->101 124 bf27fd 122->124 128 bf282f-bf2834 124->128 129 bf27fe-bf2807 124->129 130 bf281f 125->130 126->130 131 bf27d7-bf27d9 126->131 132 bf2839-bf2845 128->132 129->132 133 bf2809-bf2810 129->133 130->98 134 bf2821-bf282c 130->134 131->109 132->98 139 bf2847-bf284e 132->139 137 bf285a 133->137 138 bf2812-bf2816 133->138 134->128 137->119 140 bf285c 137->140 141 bf2818 138->141 142 bf2860-bf286a 138->142 139->107 144 bf2850-bf2854 139->144 140->142 141->125 142->99 145 bf2870 142->145 144->108 146 bf2856-bf2858 144->146 145->104 146->137
    APIs
    • waveOutOpen.WINMM(?,000000FF,?,00000000,00000000,00000000), ref: 00BF270A
    • memset.VCRUNTIME140(?,00000000,0003A980), ref: 00BF271E
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00BF28ED
    • waveOutWrite.WINMM(?,?,00000020), ref: 00BF2902
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00BF2917
    • waveOutClose.WINMM(?), ref: 00BF2923
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: wave$Header$CloseOpenPrepareUnprepareWritememset
    • String ID: ++++++++++++++++
    • API String ID: 1523669167-1908005435
    • Opcode ID: f0e7731ec98a31d9a13f0be16ce6b9521a9919fdf516e76c18934bd5a4e0509d
    • Instruction ID: b03445ed5f1c5b603c36fcceac9b6785cfc45ac0273a93c518f2afab4e43d97c
    • Opcode Fuzzy Hash: f0e7731ec98a31d9a13f0be16ce6b9521a9919fdf516e76c18934bd5a4e0509d
    • Instruction Fuzzy Hash: 2A910272A066588EDB12CB34CC057B5B7ECEF13384F0282DADA44B7051E7306A8ACB52
    Function 00BF29F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 147 bf29f0-bf2a7a call bf1055 waveOutOpen memset 150 bf2b87-bf2b8d 147->150 151 bf2a80-bf2a9f 147->151 152 bf2b90-bf2bb0 150->152 153 bf2aa0-bf2ade 151->153 152->152 154 bf2bb2 152->154 155 bf2b10-bf2b48 153->155 156 bf2ae0 153->156 159 bf2bb3-bf2c55 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose call bf10d2 154->159 157 bf2b7a-bf2b7f 155->157 158 bf2b4a 155->158 157->153 160 bf2b85 157->160 162 bf2c5a-bf2c5d 159->162 160->159
    APIs
    • waveOutOpen.WINMM(?,000000FF,?,00000000,00000000,00000000), ref: 00BF2A55
    • memset.VCRUNTIME140(?,00000000,0003A980), ref: 00BF2A69
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00BF2C14
    • waveOutWrite.WINMM(?,?,00000020), ref: 00BF2C29
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00BF2C3E
    • waveOutClose.WINMM(?), ref: 00BF2C4A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: wave$Header$CloseOpenPrepareUnprepareWritememset
    • String ID: wUD\wUD\wUD\wUD\
    • API String ID: 1523669167-907442124
    • Opcode ID: 460ed9be84eb7bf5e8c2cd4679a39c50d5509688d5b8b623be5da1c7ca697e18
    • Instruction ID: 6328624bdc4b3cb5d63d8a2bde27daa0e6a9feba8ad55f0d758d20da1979f9e3
    • Opcode Fuzzy Hash: 460ed9be84eb7bf5e8c2cd4679a39c50d5509688d5b8b623be5da1c7ca697e18
    • Instruction Fuzzy Hash: 6251C570A162189EE7138B30DC057EAF7BCAF6B305F5283DBEA4872561D73952858F42
    Function 00BF20E0 Relevance: 9.2, APIs: 6, Instructions: 236COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 163 bf20e0-bf216a call bf1055 waveOutOpen memset 166 bf2307-bf2321 163->166 167 bf2170-bf2187 163->167 169 bf2324 166->169 168 bf2190-bf21bf 167->168 170 bf21f1 168->170 171 bf21c1-bf21c4 168->171 172 bf237c-bf23d2 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose call bf10d2 169->172 173 bf2326-bf232e 169->173 174 bf21f6-bf2216 170->174 171->174 175 bf21c6-bf21cd 171->175 178 bf23d7-bf23da 172->178 173->166 176 bf232f 173->176 180 bf2217-bf221b 174->180 182 bf2248-bf224b 174->182 179 bf21cf-bf21d3 175->179 175->180 181 bf2330-bf2373 176->181 184 bf221d-bf221e 179->184 185 bf21d5-bf21ed 179->185 183 bf224d 180->183 180->184 181->172 182->183 186 bf221f-bf2224 183->186 187 bf224f-bf2269 183->187 184->186 185->170 189 bf226e-bf2270 186->189 190 bf2226-bf222a 186->190 187->189 193 bf22a2 189->193 194 bf2272 189->194 191 bf222c-bf2247 190->191 192 bf2274 190->192 191->182 195 bf2275 192->195 196 bf22f3-bf22f8 192->196 197 bf22a7-bf22c7 193->197 194->192 195->197 199 bf2276-bf227e 195->199 198 bf22f9-bf22fa 196->198 197->198 200 bf22c8-bf22cc 197->200 201 bf22fe 198->201 199->200 202 bf2280-bf2289 199->202 200->201 203 bf22ce-bf22d1 200->203 201->168 205 bf2300-bf2305 201->205 204 bf22d3-bf22da 202->204 206 bf228b-bf229e 202->206 203->204 204->169 207 bf22dc-bf22e5 204->207 205->181 206->193 207->176 208 bf22e7-bf22ec 207->208 208->196
    APIs
    • waveOutOpen.WINMM(?,000000FF,?,00000000,00000000,00000000), ref: 00BF2145
    • memset.VCRUNTIME140(?,00000000,0003A980), ref: 00BF2159
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00BF2391
    • waveOutWrite.WINMM(?,?,00000020), ref: 00BF23A6
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00BF23BB
    • waveOutClose.WINMM(?), ref: 00BF23C7
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: wave$Header$CloseOpenPrepareUnprepareWritememset
    • String ID:
    • API String ID: 1523669167-0
    • Opcode ID: 25bf168438cb25fbcc6a0c628fcb405700d7f2cca01a6ac34f350821c14e3c84
    • Instruction ID: 8f237c4693ffb56d2e3fb7d21bc672974a3296bc0171952442ca30ddfc265142
    • Opcode Fuzzy Hash: 25bf168438cb25fbcc6a0c628fcb405700d7f2cca01a6ac34f350821c14e3c84
    • Instruction Fuzzy Hash: 78910371A1A2589FEB13CB3488057A5F3ECAFA3305F5183DEDE54B3061E735528A8B51
    Function 00BF1D90 Relevance: 9.2, APIs: 6, Instructions: 157COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • waveOutOpen.WINMM(?,000000FF,?,00000000,00000000,00000000), ref: 00BF1DF7
    • memset.VCRUNTIME140(?,00000000,0003A980), ref: 00BF1E0B
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00BF1FE9
    • waveOutWrite.WINMM(?,?,00000020), ref: 00BF1FFE
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00BF2013
    • waveOutClose.WINMM(?), ref: 00BF201F
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: wave$Header$CloseOpenPrepareUnprepareWritememset
    • String ID:
    • API String ID: 1523669167-0
    • Opcode ID: f4bb1d837a9c1824d863cd34ded9432640d4217438f8d8dc9d587c71b3014d49
    • Instruction ID: cfdaac2fb9a3c35eadb1e7129e274eb91b7e49e6f59144632d40c2d3ca159364
    • Opcode Fuzzy Hash: f4bb1d837a9c1824d863cd34ded9432640d4217438f8d8dc9d587c71b3014d49
    • Instruction Fuzzy Hash: 4E61E53AD1B7094BEB139A328801395F66CEF37285F51D3AFBE1436061EB3A32C14A05
    Function 00BF24A0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • waveOutOpen.WINMM(?,000000FF,?,00000000,00000000,00000000), ref: 00BF2505
    • memset.VCRUNTIME140(?,00000000,0003A980), ref: 00BF2519
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00BF25E2
    • waveOutWrite.WINMM(?,?,00000020), ref: 00BF25F7
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00BF260C
    • waveOutClose.WINMM(?), ref: 00BF2618
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: wave$Header$CloseOpenPrepareUnprepareWritememset
    • String ID:
    • API String ID: 1523669167-0
    • Opcode ID: 492505f63edc3542a41e19099f529ee4f4ba53590dfc851aed6b8492b8c2bd29
    • Instruction ID: c35637fe7e1396e9afa17d683af74f6901bf10d053fb4acf7ad5de76642beb87
    • Opcode Fuzzy Hash: 492505f63edc3542a41e19099f529ee4f4ba53590dfc851aed6b8492b8c2bd29
    • Instruction Fuzzy Hash: C2411A70B026189FDB22CF54DC487EEB7BDAB46300F1351DBA68CB6250D77946888F52
    Function 00BF2B52 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 225 bf2b52-bf2b64 227 bf2bae-bf2bb0 225->227 228 bf2b66-bf2b77 225->228 230 bf2bb2 227->230 231 bf2b90-bf2bb0 227->231 232 bf2b7a-bf2b7f 228->232 233 bf2bb3-bf2c55 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose call bf10d2 230->233 231->230 231->231 234 bf2b85 232->234 235 bf2aa0-bf2ade 232->235 237 bf2c5a-bf2c5d 233->237 234->233 238 bf2b10-bf2b48 235->238 239 bf2ae0 235->239 238->232 240 bf2b4a 238->240
    APIs
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00BF2C14
    • waveOutWrite.WINMM(?,?,00000020), ref: 00BF2C29
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00BF2C3E
    • waveOutClose.WINMM(?), ref: 00BF2C4A
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: wave$Header$ClosePrepareUnprepareWrite
    • String ID:
    • API String ID: 2996921532-0
    • Opcode ID: 6d1ee38bb68c2e96d6dd8911a21c508c5884fbe0483a3d309ebd89e817e7f9cf
    • Instruction ID: f599d12ca734960baac7dfda10909264033650de2b2acb661736eb140e89c812
    • Opcode Fuzzy Hash: 6d1ee38bb68c2e96d6dd8911a21c508c5884fbe0483a3d309ebd89e817e7f9cf
    • Instruction Fuzzy Hash: AD414730A06658DFDB128F50DC097A9B7B8EF57301F0640DBDA8AA7062C37456A8DF22
    Function 00BF2AE8 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 241 bf2ae8-bf2af0 242 bf2b6f-bf2b77 241->242 243 bf2af2-bf2afa 241->243 246 bf2b7a-bf2b7f 242->246 244 bf2afc-bf2b00 243->244 245 bf2b44-bf2b48 243->245 247 bf2b4a 244->247 248 bf2b02-bf2b41 244->248 245->246 245->247 249 bf2b85 246->249 250 bf2aa0-bf2ade 246->250 248->245 251 bf2bb3-bf2c55 waveOutPrepareHeader waveOutWrite waveOutUnprepareHeader waveOutClose call bf10d2 249->251 252 bf2b10-bf2b48 250->252 253 bf2ae0 250->253 255 bf2c5a-bf2c5d 251->255 252->246 252->247
    APIs
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00BF2C14
    • waveOutWrite.WINMM(?,?,00000020), ref: 00BF2C29
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00BF2C3E
    • waveOutClose.WINMM(?), ref: 00BF2C4A
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: wave$Header$ClosePrepareUnprepareWrite
    • String ID:
    • API String ID: 2996921532-0
    • Opcode ID: 6826206121e0e6d1ae5ab4592e0b0da42ce56b8858895d9c63fec570dde1cbd9
    • Instruction ID: 4971301d2ceaf4da00861c0f1a8f309e8796aa19efd649c4ff40d3cebb48df5c
    • Opcode Fuzzy Hash: 6826206121e0e6d1ae5ab4592e0b0da42ce56b8858895d9c63fec570dde1cbd9
    • Instruction Fuzzy Hash: 47316F71A166189FEB138F30DC083A9F7B8AF67301F5283DBEA4972591D73552848F52
    Function 00BF3699 Relevance: 4.6, APIs: 3, Instructions: 121COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 256 bf3699-bf36a3 call bf11e5 259 bf36d7-bf374c _exit call bf1195 _configure_narrow_argv 256->259 260 bf36a5-bf36a9 256->260 261 bf36ab _c_exit 260->261 262 bf36b0-bf36c9 260->262 261->262
    APIs
      • Part of subcall function 00BF11E5: GetModuleHandleW.KERNEL32(00000000), ref: 00BF42F3
    • _c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00BF36AB
    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,00BFDFE8,00000014), ref: 00BF36DA
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: HandleModule_c_exit_exit
    • String ID:
    • API String ID: 750871209-0
    • Opcode ID: 411d7b29df722f923505d97835e734186ee391aaa1bdc11bd3fd05ca4a4814a1
    • Instruction ID: 1204f08f68a48d02f2c6e38de98ab799ac663e2baadc13d63a4db262021246b5
    • Opcode Fuzzy Hash: 411d7b29df722f923505d97835e734186ee391aaa1bdc11bd3fd05ca4a4814a1
    • Instruction Fuzzy Hash: 93E0927190425D9BCF10ABD895023FE77F1EB41324F1009D6E71173291D73519189B50

    Non-executed Functions

    Function 00BF4152 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00BF415E
    • memset.VCRUNTIME140(?,00000000,00000003), ref: 00BF4184
    • memset.VCRUNTIME140(?,00000000,00000050), ref: 00BF420E
    • IsDebuggerPresent.KERNEL32 ref: 00BF422A
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BF4243
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00BF424D
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 1045392073-0
    • Opcode ID: eaab7e91d329edc623dcbbe14ee6b4d6bf80a513b319f92498b354c65ebbf704
    • Instruction ID: c4dcbcf23414afa27b68fb57c5592816110444e1de3555142208415283096632
    • Opcode Fuzzy Hash: eaab7e91d329edc623dcbbe14ee6b4d6bf80a513b319f92498b354c65ebbf704
    • Instruction Fuzzy Hash: 8B31E475D0521C9BDB21EFA4D949BDDBBB8AF08304F1041EAE50CAB250EB709A88CF45
    Function 00BF1D30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(\\.\PhysicalDrive0,10000000,00000003,00000000,00000003,00000000,00000000), ref: 00BF1D49
    • WriteFile.KERNEL32(00000000,00BF6B30,00000200,?,00000000), ref: 00BF1D62
    • CloseHandle.KERNEL32(00000000), ref: 00BF1D69
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: File$CloseCreateHandleWrite
    • String ID: \\.\PhysicalDrive0
    • API String ID: 1065093856-1180397377
    • Opcode ID: 8bd2c5b99df6f91f795a7354a97e6ca9e0649daeac8279341d0246203f53626f
    • Instruction ID: 1a14ce3de6502eeffcfe817aa6e67d6af4771c78ea55b405c397cc216e129f1f
    • Opcode Fuzzy Hash: 8bd2c5b99df6f91f795a7354a97e6ca9e0649daeac8279341d0246203f53626f
    • Instruction Fuzzy Hash: A3E0EC32381318BBF6215790AC1BFAA3A5CFB05B55F220181FB45EA0D19AE12A1487E9
    Function 00BF1203 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(\1), ref: 00BF4348
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID: \1
    • API String ID: 3192549508-2749466366
    • Opcode ID: 94167857be4e480918d72d277ca0d086883c223e5551fd08cbd58f8b09983573
    • Instruction ID: e857d163464e6ff583c08b42b4690542f932fce187f67e72c327c386418c161e
    • Opcode Fuzzy Hash: 94167857be4e480918d72d277ca0d086883c223e5551fd08cbd58f8b09983573
    • Instruction Fuzzy Hash: BF9002707405099A9D005765AA49BB9359057507057220DD0634A6347496740759D515
    Function 00BF3065 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BF307B
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 2df213afca8e8632cff4261fefb939f0d283b635fff61de9960b1a47806a36d1
    • Instruction ID: 84620dd3ff62b22b17fdc7868894a7b4e0e34cd01f61530dab345d63d5f9e5b2
    • Opcode Fuzzy Hash: 2df213afca8e8632cff4261fefb939f0d283b635fff61de9960b1a47806a36d1
    • Instruction Fuzzy Hash: C3A159B290060A8BDB18CF68D8D16BDBBF0FF48724F14827AD515EB3A1DB349A44CB54
    Function 00BF1650 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 111windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetDC.USER32(00000000), ref: 00BF1665
    • GetSystemMetrics.USER32(00000000), ref: 00BF1675
    • GetSystemMetrics.USER32(00000001), ref: 00BF167C
    • _time64.API-MS-WIN-CRT-TIME-L1-1-0(?), ref: 00BF168B
    • _time64.API-MS-WIN-CRT-TIME-L1-1-0(?), ref: 00BF16A4
    • GetDesktopWindow.USER32 ref: 00BF16A9
    • GetWindowRect.USER32(00000000,?), ref: 00BF16B4
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF16EA
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF16F7
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1706
    • CreateSolidBrush.GDI32(00000000), ref: 00BF1714
    • SelectObject.GDI32(00000000,00000000), ref: 00BF171E
    • PatBlt.GDI32(00000000,00000000,00000001,?,?,005A0049), ref: 00BF1734
    • DeleteObject.GDI32(00000000), ref: 00BF173B
    • PlgBlt.GDI32(00000000,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00BF1761
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: rand$MetricsObjectSystemWindow_time64$BrushCreateDeleteDesktopRectSelectSolid
    • String ID: `GTw
    • API String ID: 557176497-2130825109
    • Opcode ID: ad828f776d1e03ed2fcdbaaf384da837802f42990ed9cfb5e3165ca995eba305
    • Instruction ID: 6f55e143a6c393ea4ab1284efa413ea4d303fb3e4c87f65e8d656a95a6349d8c
    • Opcode Fuzzy Hash: ad828f776d1e03ed2fcdbaaf384da837802f42990ed9cfb5e3165ca995eba305
    • Instruction Fuzzy Hash: 37413DB2D00219AFDB00DFA4DC49BDEBBB8FF48314F264566E905F7250DA75A904CBA4
    Function 00BF1212 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 71windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetDC.USER32(00000000), ref: 00BF19EB
    • GetSystemMetrics.USER32(00000000), ref: 00BF19FC
    • GetSystemMetrics.USER32(00000001), ref: 00BF1A03
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1A10
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1A1D
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1A2C
    • CreateSolidBrush.GDI32(00000000), ref: 00BF1A36
    • SelectObject.GDI32(?,00000000), ref: 00BF1A43
    • PatBlt.GDI32(?,00000000,00000001,?,?,005A0049), ref: 00BF1A59
    • DeleteObject.GDI32(00000000), ref: 00BF1A60
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(00CC0020), ref: 00BF1A6B
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1A76
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?), ref: 00BF1A83
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1A89
    • BitBlt.GDI32(?), ref: 00BF1A90
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: rand$MetricsObjectSystem$BrushCreateDeleteSelectSolid
    • String ID: @M(t
    • API String ID: 2950302033-3358032445
    • Opcode ID: 457d4a3c42cd63f7222337db4bd93549cc6f82e1164b96fd531fefe4bceebe51
    • Instruction ID: 9021a20d5abd4a1e298d43f20b86b755740d96ad3228a86dc5f2f179339b7774
    • Opcode Fuzzy Hash: 457d4a3c42cd63f7222337db4bd93549cc6f82e1164b96fd531fefe4bceebe51
    • Instruction Fuzzy Hash: D111E376C11228BBD71057F18C89FAF3E79EF88B50F2B8454FA0563190CA789800DBB4
    Function 00BF11D6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 00BF1AD9
    • GetSystemMetrics.USER32(00000000), ref: 00BF1AE9
    • GetSystemMetrics.USER32(00000001), ref: 00BF1AEF
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(001100A6), ref: 00BF1B05
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1B10
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,?,00000000), ref: 00BF1B20
    • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00BF1B2B
    • BitBlt.GDI32(00000000), ref: 00BF1B37
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: rand$MetricsSystem
    • String ID: @M(t
    • API String ID: 2696769970-3358032445
    • Opcode ID: a175ff0f61ac4f22c67efa521f989492f5c4e0d4bc61af0c1ee4cd58a51dee74
    • Instruction ID: 779727924ffe56b16b94161a3efd2f65f4b528894a76bb0ca3bc30d2fa399b1b
    • Opcode Fuzzy Hash: a175ff0f61ac4f22c67efa521f989492f5c4e0d4bc61af0c1ee4cd58a51dee74
    • Instruction Fuzzy Hash: 21F062F4A04218FBF20967A1CC9AF3F396EDBC8740F11446EB602672919DF46C409571
    Function 00BF1244 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 00BF15C5
    • GetSystemMetrics.USER32(00000000), ref: 00BF15D5
    • GetSystemMetrics.USER32(00000001), ref: 00BF15DB
    • PatBlt.GDI32(00000000,00000000,00000001,00000000,00000000,005A0049), ref: 00BF15EC
    • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,FFFFFC7C,00330008), ref: 00BF1606
    • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,-00000384,00330008), ref: 00BF1622
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID: @M(t
    • API String ID: 4116985748-3358032445
    • Opcode ID: c8df093e9962aef699b44fe472d720b4cf6fb55d09aac7fa31190ebc34cd5cd5
    • Instruction ID: 44d31a42f8178ce13f9d6804f08ed38a2d965ec94bd16ad1eddc5937c3efe4d4
    • Opcode Fuzzy Hash: c8df093e9962aef699b44fe472d720b4cf6fb55d09aac7fa31190ebc34cd5cd5
    • Instruction Fuzzy Hash: D0F03431380324BBF27456615C8EFAB296CEB86F99F220000FB05AA1D0D6E52905C6B8
    Function 00BF345D Relevance: 10.6, APIs: 7, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 00BF3460
    • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 00BF346B
    • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 00BF3477
    • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,Function_000010EB), ref: 00BF34A4
      • Part of subcall function 00BF105A: InitializeSListHead.KERNEL32(00BFF5B8), ref: 00BF40BC
    • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00001096), ref: 00BF34C2
    • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00BF34DD
    • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00BF34EC
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: HeadInitializeList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
    • String ID:
    • API String ID: 2025284546-0
    • Opcode ID: e0e6f5c0b087e370d2137f3ff8daa5619c01b98e145173a09a93b21e3137b82c
    • Instruction ID: 266577efe151acec890cfae378fa421c93b869963cfc791b90b1074f93b978ef
    • Opcode Fuzzy Hash: e0e6f5c0b087e370d2137f3ff8daa5619c01b98e145173a09a93b21e3137b82c
    • Instruction Fuzzy Hash: C6013755A4028ED5D92033FD1907ABF16C88F92BA5F050CD1BB40AB187EF668A8C81B2
    Function 00BF4355 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • __current_exception.VCRUNTIME140 ref: 00BF4394
    • __current_exception_context.VCRUNTIME140 ref: 00BF439E
    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00BF43A5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1449597703.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
    • Associated: 00000000.00000002.1446414744.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450073239.0000000000BF6000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1450465024.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_bf0000_KRITENESIAS.jbxd
    Similarity
    • API ID: __current_exception__current_exception_contextterminate
    • String ID: csm
    • API String ID: 2542180945-1018135373
    • Opcode ID: 730beda78dd201a10c42c93084eb31d4734f5110e41a9eef711ae8d3444d3f66
    • Instruction ID: 0fdeb7d0c7efe72d61d723911330e36d9d7eb194bfe2efddaee5adbef6e1c808
    • Opcode Fuzzy Hash: 730beda78dd201a10c42c93084eb31d4734f5110e41a9eef711ae8d3444d3f66
    • Instruction Fuzzy Hash: 57F05E360002098BCB20AF69944417FF7EDFF21321B9A04A6E6448B611C770AD99C7D9