Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FYBRUTggrf.exe

Overview

General Information

Sample name:	FYBRUTggrf.exe (renamed file extension from txt to exe, renamed because original name is a hash value)
Original sample name:	4E928F2C40DC96A6A84C207B4B1145997CDC3387B706F0C254A4CC72797C4AB0.txt
Analysis ID:	1546618
MD5:	9bd767f6b9bb867fe32a6cae6b3dd659
SHA1:	53e2092bb89df2e77178c9abfd79ce8b194bf18f
SHA256:	4e928f2c40dc96a6a84c207b4b1145997cdc3387b706f0c254a4cc72797c4ab0
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected suspicious sample

Drops PE files

Found dropped PE file which has not been started or loaded

Uses 32bit PE files

Classification

×

Process Tree

System is w10x64

FYBRUTggrf.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\FYBRUTggrf.exe" MD5: 9BD767F6B9BB867FE32A6CAE6B3DD659)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.2% probability

Source: FYBRUTggrf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: D:\users\jyhshyuan_su\Desktop\RunAsAdmin\Release\RunAsAdmin.pdb source: RunAsAdmin.exe.0.dr

Source: FYBRUTggrf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: FYBRUTggrf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: FYBRUTggrf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus21.winEXE@1/2@0/0

Source: C:\Users\user\Desktop\FYBRUTggrf.exe

File created: C:\Users\user\AppData\Local\Temp\nsj3117.tmp

Jump to behavior

Source: FYBRUTggrf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FYBRUTggrf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FYBRUTggrf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FYBRUTggrf.exe

File read: C:\Users\user\Desktop\FYBRUTggrf.exe

Jump to behavior

Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Section loaded: propsys.dll			Jump to behavior

Source: C:\Users\user\Desktop\FYBRUTggrf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:

Binary string: D:\users\jyhshyuan_su\Desktop\RunAsAdmin\Release\RunAsAdmin.pdb source: RunAsAdmin.exe.0.dr

Source: C:\Users\user\Desktop\FYBRUTggrf.exe	File created: C:\Users\user\AppData\Local\Temp\RunAsAdmin.exe			Jump to dropped file
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	File created: C:\Users\user\AppData\Local\Temp\nsz3186.tmp\UserInfo.dll			Jump to dropped file

Source: C:\Users\user\Desktop\FYBRUTggrf.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RunAsAdmin.exe			Jump to dropped file
Source: C:\Users\user\Desktop\FYBRUTggrf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz3186.tmp\UserInfo.dll			Jump to dropped file

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FYBRUTggrf.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RunAsAdmin.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsz3186.tmp\UserInfo.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	FYBRUTggrf.exe	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	FYBRUTggrf.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546618
Start date and time:	2024-11-01 08:52:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FYBRUTggrf.exe (renamed file extension from txt to exe, renamed because original name is a hash value)
Original Sample Name:	4E928F2C40DC96A6A84C207B4B1145997CDC3387B706F0C254A4CC72797C4AB0.txt
Detection:	SUS
Classification:	sus21.winEXE@1/2@0/0
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
VT rate limit hit for: FYBRUTggrf.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\nsz3186.tmp\UserInfo.dll	563299efce875400a8d9b44b96597c8e-sample (1).zip	Get hash	malicious	Unknown	Browse
	Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.0-2.2.2.8_RR_v2.2.2.1_NL.exe	Get hash	malicious	Unknown	Browse
	Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.0-2.2.2.8_RR_v2.2.2.1_NL.exe	Get hash	malicious	Unknown	Browse
	LINWorks-1.10.3.exe	Get hash	malicious	Unknown	Browse
	saa.zip	Get hash	malicious	Unknown	Browse
	finalshell_windows_x64.exe	Get hash	malicious	Unknown	Browse
	CuratorStandardSetup.exe	Get hash	malicious	Unknown	Browse
	CuratorStandardSetup.exe	Get hash	malicious	Unknown	Browse
	HancockWhitney_AdminNoScanner_555036 (1).exe	Get hash	malicious	Unknown	Browse
	ibaLicenseService-V2_v2.5.2.zip	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\RunAsAdmin.exe

Process:	C:\Users\user\Desktop\FYBRUTggrf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1716736
Entropy (8bit):	6.406505011645108
Encrypted:	false
SSDEEP:	49152:aY8m6/ufkUZkCH1cq0YvdUsvoO/O0K8X9KKoFECcA2ht0vk1Dg8KhUF6RfhXhcyt:aY8sfkUZkCVcSvhvoOOn8X9KKoFEd6kq
MD5:	7F48C5CDAFD8FB5CF869FFDE65F7DA07
SHA1:	0F0E3DE46E607B8A0A61AF56921B42D38FF5D967
SHA-256:	6CEC5DDC0BBD789E23F5125113F03973228C0D5C1AFDAF74666158DCD280CF83
SHA-512:	684CC6D076200F8E38B8DE2409F9640FC2675A31B8730F388EFD41A512AC8DA7033068CF25C91D51C5C7886B88D3AE4BF6ECC34FB06B67C0DFF0506BDF62A90E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P..u..`&..`&..`&...&..`&...&..`&...&7.`&..a&..`&.n.&9.`&.n.&..`&.n.&..`&.n.&..`&.n.&..`&.n.&..`&Rich..`&................PE..L...)..T.................b..........n ............@.................................. ....@.....................................h...........................@..T...p...................................@............................................text....`.......b.................. ..`.rdata..\8.......:...f..............@..@.data............b..................@....rsrc..............................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz3186.tmp\UserInfo.dll

Process:	C:\Users\user\Desktop\FYBRUTggrf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.331979080664426
Encrypted:	false
SSDEEP:	48:iViF7LLM4wXqQH1wRrOpArXMVyjlZSXRN:ky7EcQHu4tVy4R
MD5:	7579ADE7AE1747A31960A228CE02E666
SHA1:	8EC8571A296737E819DCF86353A43FCF8EC63351
SHA-256:	564C80DEC62D76C53497C40094DB360FF8A36E0DC1BDA8383D0F9583138997F5
SHA-512:	A88BC56E938374C333B0E33CB72951635B5D5A98B9CB2D6785073CBCAD23BF4C0F9F69D3B7E87B46C76EB03CED9BB786844CE87656A9E3DF4CA24ACF43D7A05B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 563299efce875400a8d9b44b96597c8e-sample (1).zip, Detection: malicious, Browse Filename: Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.0-2.2.2.8_RR_v2.2.2.1_NL.exe, Detection: malicious, Browse Filename: Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.0-2.2.2.8_RR_v2.2.2.1_NL.exe, Detection: malicious, Browse Filename: LINWorks-1.10.3.exe, Detection: malicious, Browse Filename: saa.zip, Detection: malicious, Browse Filename: finalshell_windows_x64.exe, Detection: malicious, Browse Filename: CuratorStandardSetup.exe, Detection: malicious, Browse Filename: CuratorStandardSetup.exe, Detection: malicious, Browse Filename: HancockWhitney_AdminNoScanner_555036 (1).exe, Detection: malicious, Browse Filename: ibaLicenseService-V2_v2.5.2.zip, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................4..............Rich..................PE..L......K...........!......................... ...............................P...................................... "......L ..<............................@..d.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.979519157007951
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FYBRUTggrf.exe
File size:	868'635 bytes
MD5:	9bd767f6b9bb867fe32a6cae6b3dd659
SHA1:	53e2092bb89df2e77178c9abfd79ce8b194bf18f
SHA256:	4e928f2c40dc96a6a84c207b4b1145997cdc3387b706f0c254a4cc72797c4ab0
SHA512:	03c7bea815f238443292d02127e615078d68fa922b6031666cd5682d04e8cbefefac4c2798574400f3e95f0da989059a87324c938cdab400298056883bc1d132
SSDEEP:	12288:UxjBxPKNm/qtBN/YThN4iQ55K0P2a+7GRnvct4tsthzm0uhq1J7pKiUGfW+x1L:UxGNx4T74iSYq+KRUxhPm29dUGvL
TLSH:	9005237D61E1F86FC564B53269F79C78A23A828983A79D0FEB43EB6F68144C25C442D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	0771ccf8d84d2907

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007F1AE06E78C6h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007F1AE06E7579h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007F1AE06E7567h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007F1AE06E4CDCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007F1AE06E705Ah
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F1AE06E4D35h
cmp cl, 00000020h
jne 00007F1AE06E4CD8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F1AE06E4CCCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x3e48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	856b32eb77dfd6fb67f21d6543272da5	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	dc77f8a1e6985a4361c55642680ddb4f	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	7922d4ce117d7d5b3ac2cffe4b0b5e4f	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x3e48	0x4000	9220819ee863b995b92fdec2d679e17d	False	0.62823486328125	data	5.942322566388902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x372b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7213883677298312
RT_ICON	0x38358	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6751066098081023
RT_ICON	0x39200	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7851985559566786
RT_ICON	0x39aa8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6560693641618497
RT_ICON	0x3a010	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8031914893617021
RT_ICON	0x3a478	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3118279569892473
RT_ICON	0x3a760	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_DIALOG	0x3a888	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3a988	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3aaa8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3ab08	0x68	data	English	United States	0.6634615384615384
RT_MANIFEST	0x3ab70	0x2d7	XML 1.0 document, ASCII text, with very long lines (727), with no line terminators	English	United States	0.5639614855570839

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: FYBRUTggrf.exePID: 7364, Parent PID: 4084

General

Target ID:	0
Start time:	03:52:55
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\FYBRUTggrf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FYBRUTggrf.exe"
Imagebase:	0x400000
File size:	868'635 bytes
MD5 hash:	9BD767F6B9BB867FE32A6CAE6B3DD659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly