Windows Analysis Report hBB2KnTndI

Found inlined nop instructions (likely shell or obfuscated code)

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484064
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A01FB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00434186
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484184
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A01AB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A029B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0049C290
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004842A4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004843C4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then sub esp, 1Ch	0_2_0042C470
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004844E4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_00430520
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484604
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046C6B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484724
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx	0_2_00484844
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h	0_2_00470A20
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h	0_2_00470B64
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx	0_2_00488BBB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push edi	0_2_004951B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [004F6360h]	0_2_00475351
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DB14
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DC34
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DD54
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DE74
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov edx, dword ptr [ecx+08h]	0_2_00431E1A
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DF94
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E0B4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E1D4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E2F4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E414
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E534
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push esi	0_2_0046E654
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FAB7Ch	0_2_0048E934
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0049A9C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FA468h	0_2_0049EAA2
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h	0_2_00486B40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0049EB72
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h	0_2_00486C84

Source: hBB2KnTndI.exe

String found in binary or memory: http://gcc.gnu.org/bugs.html):

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00407090 CreateMutexW,GetLastError,GetFileAttributesA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

5_2_00407090

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402150 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

5_2_00402150

Creates a DirectInput object (often for capturing keystrokes)

Source: hBB2KnTndI.exe, 00000000.00000000.260905702.000000000092A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

One or more processes crash

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272

Detected potential crypto function

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00468160	0_2_00468160
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C250	0_2_0041C250
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004503C0	0_2_004503C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454440	0_2_00454440
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D87F0	0_2_004D87F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C8E0	0_2_0041C8E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041CA70	0_2_0041CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044CA70	0_2_0044CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00420CD0	0_2_00420CD0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D8C88	0_2_004D8C88
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00450DA0	0_2_00450DA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00444DB0	0_2_00444DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DCE9D	0_2_004DCE9D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454F10	0_2_00454F10
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00414FF0	0_2_00414FF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CD137	0_2_004CD137
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004593D0	0_2_004593D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044D5E0	0_2_0044D5E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004416C0	0_2_004416C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004656F0	0_2_004656F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00429800	0_2_00429800
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00441B50	0_2_00441B50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00425D40	0_2_00425D40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00445DE0	0_2_00445DE0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00459DB0	0_2_00459DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DDE50	0_2_004DDE50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0043DFF0	0_2_0043DFF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00449F90	0_2_00449F90
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00466420	0_2_00466420
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004BA540	0_2_004BA540
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00456500	0_2_00456500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0045A780	0_2_0045A780
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004428E0	0_2_004428E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044AA40	0_2_0044AA40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044EA00	0_2_0044EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00422868	5_2_00422868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00409877	5_2_00409877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425827	5_2_00425827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00404120	5_2_00404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00426A7D	5_2_00426A7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00427A30	5_2_00427A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004223D0	5_2_004223D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00416D17	5_2_00416D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425707	5_2_00425707

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A5D70 appears 102 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB9D0 appears 69 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0040146E appears 85 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A57E0 appears 38 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0041EC30 appears 76 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004966B0 appears 50 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB7D0 appears 31 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 00496680 appears 58 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A2310 appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004123E0 appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004137B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: String function: 0024FB02 appears 62 times

PE / OLE file has an invalid certificate

Source: hBB2KnTndI.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: hBB2KnTndI.exe

Static PE information: Number of sections : 16 > 10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5

Source: hBB2KnTndI.exe

Virustotal: Detection: 39%

Source: hBB2KnTndI.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\hBB2KnTndI.exe "C:\Users\user\Desktop\hBB2KnTndI.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@7/5@0/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File read: C:\Users\user\Desktop\desktop.ini

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6828

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hBB2KnTndI.exe

Static file information: File size 2476494 > 1048576

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004115A7 push eax; mov dword ptr [esp], ebx	0_2_004115AE
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C21F push eax; mov dword ptr [esp], ebx	0_2_0047C23B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C3C0 push eax; mov dword ptr [esp], ebx	0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C63F push eax; mov dword ptr [esp], ebx	0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047879C push eax; mov dword ptr [esp], ebx	0_2_004787D2
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047CB1F push eax; mov dword ptr [esp], ebx	0_2_0047CB3B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00469077 push eax; mov dword ptr [esp], ebx	0_2_00469093
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D07F push eax; mov dword ptr [esp], ebx	0_2_0047D09B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004790F2 push eax; mov dword ptr [esp], ebx	0_2_0047910E
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046917C push eax; mov dword ptr [esp], ebx	0_2_00469198
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D2D0 push eax; mov dword ptr [esp], ebx	0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004793BA push eax; mov dword ptr [esp], ebx	0_2_004793D6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479530 push eax; mov dword ptr [esp], ebx	0_2_00479666
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D666 push eax; mov dword ptr [esp], ebx	0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479780 push eax; mov dword ptr [esp], ebx	0_2_004798B6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D920 push eax; mov dword ptr [esp], ebx	0_2_0047DCA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047DCB6 push eax; mov dword ptr [esp], ebx	0_2_0047DCA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A160 push eax; mov dword ptr [esp], ebx	0_2_0046A67B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A690 push eax; mov dword ptr [esp], ebx	0_2_0046ABAB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452B11 push eax; mov dword ptr [esp], ebx	0_2_00452B2D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452C31 push eax; mov dword ptr [esp], ebx	0_2_00452C4D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452D51 push eax; mov dword ptr [esp], ebx	0_2_00452D6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004137F6 push ecx; ret	5_2_00413809
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F8E8 push ecx; ret	7_2_0024FAB8
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024FAD0 push ecx; ret	7_2_0024FAE3

PE file contains sections with non-standard names

Source: hBB2KnTndI.exe	Static PE information: section name: /4
Source: hBB2KnTndI.exe	Static PE information: section name: /14
Source: hBB2KnTndI.exe	Static PE information: section name: /29
Source: hBB2KnTndI.exe	Static PE information: section name: /41
Source: hBB2KnTndI.exe	Static PE information: section name: /55
Source: hBB2KnTndI.exe	Static PE information: section name: /67
Source: hBB2KnTndI.exe	Static PE information: section name: /80
Source: hBB2KnTndI.exe	Static PE information: section name: /91
Source: hBB2KnTndI.exe	Static PE information: section name: /102

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

PE file contains an invalid checksum

Source: hBB2KnTndI.exe

Static PE information: real checksum: 0x2619f8 should be: 0x25f5ed

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

Found evaded block containing many API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Evaded block: after key decision

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	API coverage: 5.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	API coverage: 8.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00417C96

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402C50 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

5_2_00402C50

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004EEBEC mov eax, dword ptr fs:[00000030h]	0_2_004EEBEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00419122 mov eax, dword ptr fs:[00000030h]	5_2_00419122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00415391 mov eax, dword ptr fs:[00000030h]	5_2_00415391

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004011A5 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,KiUserExceptionDispatcher,_cexit,ExitProcess,	0_2_004011A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413738 SetUnhandledExceptionFilter,	5_2_00413738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413983 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00413983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00417C96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004135D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_004135D3
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F580 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,	7_2_0024F580

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: BCE008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004EEC21 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_004EEC21

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024915E LoadLibraryExW,GetProcAddress,FreeLibrary,IsDebuggerPresent,DebugBreak,

7_2_0024915E

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004C9813 cpuid

0_2_004C9813

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00413811 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00413811

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00421B1C _free,GetTimeZoneInformation,_free,

5_2_00421B1C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Yara detected Amadeys stealer DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_0040F1D0 IsUserAnAdmin,GetUserNameW,GetComputerNameExW,

5_2_0040F1D0

Stealing of Sensitive Information

Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.259020968.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260767513.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: hBB2KnTndI.exe

Virustotal: Detection: 39%

Perma Link

Found inlined nop instructions (likely shell or obfuscated code)

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484064
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A01FB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00434186
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484184
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A01AB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004A029B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0049C290
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004842A4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004843C4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then sub esp, 1Ch	0_2_0042C470
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_004844E4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	0_2_00430520
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484604
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046C6B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_00484724
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx	0_2_00484844
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h	0_2_00470A20
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h	0_2_00470B64
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx	0_2_00488BBB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push edi	0_2_004951B0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [004F6360h]	0_2_00475351
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DB14
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DC34
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DD54
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DE74
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov edx, dword ptr [ecx+08h]	0_2_00431E1A
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046DF94
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E0B4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E1D4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E2F4
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E414
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0046E534
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push esi	0_2_0046E654
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FAB7Ch	0_2_0048E934
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0049A9C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FA468h	0_2_0049EAA2
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h	0_2_00486B40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp	0_2_0049EB72
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h	0_2_00486C84

Source: hBB2KnTndI.exe

String found in binary or memory: http://gcc.gnu.org/bugs.html):

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

5_2_00407090

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

5_2_00402150

Creates a DirectInput object (often for capturing keystrokes)

Source: hBB2KnTndI.exe, 00000000.00000000.260905702.000000000092A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

One or more processes crash

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272

Detected potential crypto function

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00468160	0_2_00468160
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C250	0_2_0041C250
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004503C0	0_2_004503C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454440	0_2_00454440
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D87F0	0_2_004D87F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C8E0	0_2_0041C8E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041CA70	0_2_0041CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044CA70	0_2_0044CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00420CD0	0_2_00420CD0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D8C88	0_2_004D8C88
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00450DA0	0_2_00450DA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00444DB0	0_2_00444DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DCE9D	0_2_004DCE9D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454F10	0_2_00454F10
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00414FF0	0_2_00414FF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CD137	0_2_004CD137
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004593D0	0_2_004593D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044D5E0	0_2_0044D5E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004416C0	0_2_004416C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004656F0	0_2_004656F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00429800	0_2_00429800
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00441B50	0_2_00441B50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00425D40	0_2_00425D40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00445DE0	0_2_00445DE0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00459DB0	0_2_00459DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DDE50	0_2_004DDE50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0043DFF0	0_2_0043DFF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00449F90	0_2_00449F90
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00466420	0_2_00466420
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004BA540	0_2_004BA540
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00456500	0_2_00456500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0045A780	0_2_0045A780
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004428E0	0_2_004428E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044AA40	0_2_0044AA40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044EA00	0_2_0044EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00422868	5_2_00422868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00409877	5_2_00409877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425827	5_2_00425827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00404120	5_2_00404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00426A7D	5_2_00426A7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00427A30	5_2_00427A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004223D0	5_2_004223D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00416D17	5_2_00416D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425707	5_2_00425707

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A5D70 appears 102 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB9D0 appears 69 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0040146E appears 85 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A57E0 appears 38 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0041EC30 appears 76 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004966B0 appears 50 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB7D0 appears 31 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 00496680 appears 58 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A2310 appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004123E0 appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004137B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: String function: 0024FB02 appears 62 times

PE / OLE file has an invalid certificate

Source: hBB2KnTndI.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: hBB2KnTndI.exe

Static PE information: Number of sections : 16 > 10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5

Source: hBB2KnTndI.exe

Virustotal: Detection: 39%

Source: hBB2KnTndI.exe

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\hBB2KnTndI.exe "C:\Users\user\Desktop\hBB2KnTndI.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@7/5@0/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File read: C:\Users\user\Desktop\desktop.ini

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6828

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hBB2KnTndI.exe

Static file information: File size 2476494 > 1048576

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004115A7 push eax; mov dword ptr [esp], ebx	0_2_004115AE
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C21F push eax; mov dword ptr [esp], ebx	0_2_0047C23B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C3C0 push eax; mov dword ptr [esp], ebx	0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C63F push eax; mov dword ptr [esp], ebx	0_2_0047C630
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047879C push eax; mov dword ptr [esp], ebx	0_2_004787D2
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047CB1F push eax; mov dword ptr [esp], ebx	0_2_0047CB3B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00469077 push eax; mov dword ptr [esp], ebx	0_2_00469093
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D07F push eax; mov dword ptr [esp], ebx	0_2_0047D09B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004790F2 push eax; mov dword ptr [esp], ebx	0_2_0047910E
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046917C push eax; mov dword ptr [esp], ebx	0_2_00469198
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D2D0 push eax; mov dword ptr [esp], ebx	0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004793BA push eax; mov dword ptr [esp], ebx	0_2_004793D6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479530 push eax; mov dword ptr [esp], ebx	0_2_00479666
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D666 push eax; mov dword ptr [esp], ebx	0_2_0047D650
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479780 push eax; mov dword ptr [esp], ebx	0_2_004798B6
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D920 push eax; mov dword ptr [esp], ebx	0_2_0047DCA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047DCB6 push eax; mov dword ptr [esp], ebx	0_2_0047DCA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A160 push eax; mov dword ptr [esp], ebx	0_2_0046A67B
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A690 push eax; mov dword ptr [esp], ebx	0_2_0046ABAB
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452B11 push eax; mov dword ptr [esp], ebx	0_2_00452B2D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452C31 push eax; mov dword ptr [esp], ebx	0_2_00452C4D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452D51 push eax; mov dword ptr [esp], ebx	0_2_00452D6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004137F6 push ecx; ret	5_2_00413809
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F8E8 push ecx; ret	7_2_0024FAB8
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024FAD0 push ecx; ret	7_2_0024FAE3

PE file contains sections with non-standard names

Source: hBB2KnTndI.exe	Static PE information: section name: /4
Source: hBB2KnTndI.exe	Static PE information: section name: /14
Source: hBB2KnTndI.exe	Static PE information: section name: /29
Source: hBB2KnTndI.exe	Static PE information: section name: /41
Source: hBB2KnTndI.exe	Static PE information: section name: /55
Source: hBB2KnTndI.exe	Static PE information: section name: /67
Source: hBB2KnTndI.exe	Static PE information: section name: /80
Source: hBB2KnTndI.exe	Static PE information: section name: /91
Source: hBB2KnTndI.exe	Static PE information: section name: /102

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

PE file contains an invalid checksum

Source: hBB2KnTndI.exe

Static PE information: real checksum: 0x2619f8 should be: 0x25f5ed

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

Found evaded block containing many API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Evaded block: after key decision

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	API coverage: 5.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	API coverage: 8.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,		0_2_00424F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,		5_2_0041E292

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00417C96

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

5_2_00402C50

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]	0_2_00411C06
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004EEBEC mov eax, dword ptr fs:[00000030h]	0_2_004EEBEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00419122 mov eax, dword ptr fs:[00000030h]	5_2_00419122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00415391 mov eax, dword ptr fs:[00000030h]	5_2_00415391

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004011A5 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,KiUserExceptionDispatcher,_cexit,ExitProcess,	0_2_004011A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413738 SetUnhandledExceptionFilter,	5_2_00413738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413983 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00413983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00417C96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004135D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_004135D3
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F580 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,	7_2_0024F580

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: BCE008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

0_2_004EEC21

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024915E LoadLibraryExW,GetProcAddress,FreeLibrary,IsDebuggerPresent,DebugBreak,

7_2_0024915E

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004C9813 cpuid

0_2_004C9813

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00413811 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00413811

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00421B1C _free,GetTimeZoneInformation,_free,

5_2_00421B1C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,