Edit tour

Windows Analysis Report
hBB2KnTndI

Overview

General Information

Sample Name:	hBB2KnTndI (renamed file extension from none to exe)
Analysis ID:	635800
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
Tags:	32exetrojan
Infos:

Detection

Amadey

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Contains functionality to prevent local Windows debugging

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

hBB2KnTndI.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\hBB2KnTndI.exe" MD5: B413FF6E943C415AFC26640FF535C724)

conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 6060 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

orxds.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe" MD5: 6807F903AC06FF7E1670181378690B22)

WerFault.exe (PID: 6220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.259020968.00000000008B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.260767513.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.hBB2KnTndI.exe.8b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.hBB2KnTndI.exe.8b0000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.2.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hBB2KnTndI.exe

Virustotal: Detection: 39%

Perma Link

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then sub esp, 1Ch
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [ecx]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push edi
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [004F6360h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov edx, dword ptr [ecx+08h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push esi
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FAB7Ch
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov dword ptr [ecx], 004FA468h
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h

Source: hBB2KnTndI.exe

String found in binary or memory: http://gcc.gnu.org/bugs.html):

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00407090 CreateMutexW,GetLastError,GetFileAttributesA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402150 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

Source: hBB2KnTndI.exe, 00000000.00000000.260905702.000000000092A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00468160
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C250
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004503C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454440
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D87F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C8E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00420CD0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D8C88
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00450DA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00444DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DCE9D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454F10
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00414FF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CD137
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004593D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044D5E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004416C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004656F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00429800
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00441B50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00425D40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00445DE0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00459DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DDE50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0043DFF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00449F90
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00466420
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004BA540
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00456500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0045A780
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004428E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044AA40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00422868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00409877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00426A7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00427A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004223D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00416D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425707

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A5D70 appears 102 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB9D0 appears 69 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0040146E appears 85 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A57E0 appears 38 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0041EC30 appears 76 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004966B0 appears 50 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004AB7D0 appears 31 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 00496680 appears 58 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A2310 appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004123E0 appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004137B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: String function: 0024FB02 appears 62 times

Source: hBB2KnTndI.exe

Static PE information: invalid certificate

Source: hBB2KnTndI.exe

Static PE information: Number of sections : 16 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5

Source: hBB2KnTndI.exe

Virustotal: Detection: 39%

Source: hBB2KnTndI.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\hBB2KnTndI.exe "C:\Users\user\Desktop\hBB2KnTndI.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f

Jump to behavior

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@7/5@0/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6828

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hBB2KnTndI.exe

Static file information: File size 2476494 > 1048576

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.263517945.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000002.263709457.0000000000241000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004115A7 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C21F push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C3C0 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C63F push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047879C push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047CB1F push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00469077 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D07F push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004790F2 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046917C push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D2D0 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004793BA push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479530 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D666 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479780 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D920 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047DCB6 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A160 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A690 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452B11 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452C31 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452D51 push eax; mov dword ptr [esp], ebx
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004137F6 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F8E8 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024FAD0 push ecx; ret

Source: hBB2KnTndI.exe	Static PE information: section name: /4
Source: hBB2KnTndI.exe	Static PE information: section name: /14
Source: hBB2KnTndI.exe	Static PE information: section name: /29
Source: hBB2KnTndI.exe	Static PE information: section name: /41
Source: hBB2KnTndI.exe	Static PE information: section name: /55
Source: hBB2KnTndI.exe	Static PE information: section name: /67
Source: hBB2KnTndI.exe	Static PE information: section name: /80
Source: hBB2KnTndI.exe	Static PE information: section name: /91
Source: hBB2KnTndI.exe	Static PE information: section name: /102

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

Source: hBB2KnTndI.exe

Static PE information: real checksum: 0x2619f8 should be: 0x25f5ed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Evaded block: after key decision

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	API coverage: 5.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	API coverage: 8.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402C50 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024D53A rdtsc

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004EEBEC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00419122 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00415391 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004011A5 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,KiUserExceptionDispatcher,_cexit,ExitProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413738 SetUnhandledExceptionFilter,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413983 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004135D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_0024F580 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: BCE008

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004EEC21 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_0024915E LoadLibraryExW,GetProcAddress,FreeLibrary,IsDebuggerPresent,DebugBreak,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004C9813 cpuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00413811 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00421B1C _free,GetTimeZoneInformation,_free,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_0040F1D0 IsUserAnAdmin,GetUserNameW,GetComputerNameExW,

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.259020968.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.260767513.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	511 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	511 Process Injection	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hBB2KnTndI.exe	39%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	2%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.3.hBB2KnTndI.exe.8b0000.0.unpack	100%	Avira	HEUR/AGEN.1237917		Download File
5.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1237910		Download File

Name	Source	Malicious	Antivirus Detection	Reputation
http://gcc.gnu.org/bugs.html):	hBB2KnTndI.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635800
Start date and time: 29/05/202219:32:06	2022-05-29 19:32:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	hBB2KnTndI (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spyw.evad.winEXE@7/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 4.4% (good quality ratio 4%) Quality average: 72.3% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.40.129.122, 20.189.173.20
Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, arc.trafficmanager.net, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com, watson.telemetry.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:33:20	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_181a7760\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6829987815203323
Encrypted:	false
SSDEEP:	96:eEFJo531hDNH7DAfFpXIQcQvc6QcEDMcw3Dz+HbHg/5VG4rmMOyWZAXGng5FMTP/:HDo53F8HBUZMXwjlq/u7sTS274ItE
MD5:	5B5EA8AF84945A314F06185BEB825769
SHA1:	3E34A503CC4E9725C5609FB483F1AA1B023D4D16
SHA-256:	5771E8F70785FBB148B119707D9530C20736187595F2C181684E3235DBED5C72
SHA-512:	51099F32A4546EEFEF1BFAABDF76D62077AC34F04291EF53BFCA95F21584AAB71D75E838D83408EE6F7806CB2A43D955F7153C45B023017985D42E13AA15CAE2
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.3.5.1.5.9.6.2.2.0.6.8.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.3.5.1.5.9.7.8.7.6.9.2.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.4.d.8.6.f.c.-.4.1.e.0.-.4.a.f.f.-.a.8.e.8.-.1.6.3.1.8.4.7.b.6.6.1.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.9.4.7.3.0.6.-.b.d.e.e.-.4.5.2.9.-.8.2.8.1.-.f.1.0.7.4.7.b.9.d.f.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.B.B.2.K.n.T.n.d.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.c.-.0.0.0.1.-.0.0.1.d.-.4.b.e.8.-.0.7.9.6.c.d.7.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.1.9.a.6.8.d.c.7.b.4.d.3.5.6.1.6.f.6.1.b.3.2.1.2.a.4.1.d.9.f.0.0.0.0.f.f.f.f.!.0.0.0.0.f.c.c.1.3.d.5.2.b.f.2.8.4.1.6.f.3.b.8.a.5.9.4.d.5.8.1.1.3.f.d.8.8.2.8.a.4.0.9.3.!.h.B.B.2.K.n.T.n.d.I...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 30 02:33:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	32426
Entropy (8bit):	2.022186547098741
Encrypted:	false
SSDEEP:	192:7ToTR5OehwDu8DusI0LrIPm7QMcU8irraOTgntPw:/e+y8Du7G0mQPHiv
MD5:	9CFC1F9C7F8E9B23594FE26427E5253D
SHA1:	01F0CDD0A22805105883C4B3930AD44CDFA9E350
SHA-256:	7D63809B96E2686DE1BCE10CF9129283E9A7FFFF43CD05F60E52F22FA920D66B
SHA-512:	C6AD471D4EBB3A31C42374A5F74E7C4BA120C85C91B646D90FFAE261EDDC7B69D39F73E8E4BF5AA86DE60273CA07CC0D69B82B361DEE73A923694CCB7163A158
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........,.b........................................H...........T.......8...........T................s...........................................................................................U...........B..............GenuineIntelW...........T............,.b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6957.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.6987520698451015
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi996e6YWtSU4X7gmfcSUCprx89bb0sfzJm:RrlsNiX6e6YsSU4X7gmfcSCbnfg
MD5:	DECA573E041E2262792347A316BC7F16
SHA1:	388E343B14FA0F2D7D468F83D0AAAFE62C3FB592
SHA-256:	33694A7A970FFD265D0B2E5B6F9DC34874D560E79F9E1EE2762D6965BC0AA37E
SHA-512:	F4BEA1B1B851077E9D35A85F3D10483FB09CE95C3672F33698307AD33BC6F18E43E065A89D12A29B74AD359C9AB2D7B7489FFBC1AFAE9AE957B9CC56B6F532FE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B7B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4568
Entropy (8bit):	4.461858019240563
Encrypted:	false
SSDEEP:	48:cvIwSD8zs4JgtWI9hj1XWgc8sqYjf8fm8M4J0HFHz+q8QJ02jKlgd:uITf+4j1mgrsqYQJAz02jegd
MD5:	1361281EBE1DED37788E6218F3B30E8D
SHA1:	9B859030FD96C44D20AEA8638A4CB00482FEC9DC
SHA-256:	7824E5E7F7903D4A2BE8B7441D46C0D301E98E11749BCCFA08354A24EF0DBF78
SHA-512:	D11482242AB2E98D88258A1FD043FF8D6ACBDFDAE73794C5CE223FB85923799C64375A29B85E8A1AE1D7D8CB578653B7A2C4E80EA8B1C9DF0BDE1BB2E370BD1F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1537183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98912
Entropy (8bit):	6.288162510609848
Encrypted:	false
SSDEEP:	1536:mdCQC+TbenjRV4hbdZ7Fbk7zrbITCFcnMeaYNVq7B7d:mdCQZTbejTHXACFcnMjiMJ
MD5:	6807F903AC06FF7E1670181378690B22
SHA1:	901EC730ADC4A7C8531E8DA343A977E04FDE8B03
SHA-256:	115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5
SHA-512:	37CC7812BFD4F5A4D81D7D4B5B5906D35928856BFAF7B532481B4233AFA36E9C41C3D42D84290288A0DEB47F5D8CD54FE1280C1E0F639B8240F9AB2638716EEB
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 2%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O...!R..!R..!RR..R..!R8..R..!R8..R..!R8..R..!R8..R..!R...R..!R.. Rg.!RR..R..!R.Y.R..!R.Y.R..!R.Y.R..!RRich..!R........................PE..L..._X.Z.........."..........2............... ....@..................................@....@...... ...........................A.......P...............D..`>...`..........T..............................@............@...............................text............................... ..`.data........ ......................@....idata..j....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.357132284261992
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hBB2KnTndI.exe
File size:	2476494
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
SHA512:	ca5ac0fc7aa0ed1a615ccd628b8b97b3d83b31e0da58b9d9e23e4e9f97bfa598920119e8afbbdac6e97c994e8739651083fd1afe69384d25a1fd6bc4702ce815
SSDEEP:	24576:dofQL0YjKOTrGRTnFZUDt4KZHD6XyeOjuTfedlb0hv4d7KXl8p+NauQ5V3h357:dofQL0YjKOTrGJ7C5iOjuTWdlxd7Kc
TLSH:	1CB51A135A8B0E75DDC23BB4A1CB633E9734EE30CA2A9B7FF609C53559532C5681A702
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..b.j...R...........\...H...............p....@...................................&....... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4012e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6290AF3D [Fri May 27 11:00:13 2022 UTC]
TLS Callbacks:	0x41bc40, 0x41bbf0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0dfe559e003c7370c899d20dea7dea8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	9/2/2021 11:32:59 AM 9/1/2022 11:32:59 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	D15B2B9631F8B37BA8D83A5AE528A8BB
Thumbprint SHA-1:	8740DF4ACB749640AD318E4BE842F72EC651AD80
Thumbprint SHA-256:	2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
Serial:	33000002528B33AAF895F339DB000000000252

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000001h
call dword ptr [005372F0h]
call 00007F0C60A25320h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [005372F0h]
call 00007F0C60A25300h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537328h]
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537318h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push esi
push ebx
sub esp, 10h
mov dword ptr [esp], 004F1000h
call 00007F0C60A4F479h
sub esp, 04h
test eax, eax
je 00007F0C60A25517h
mov dword ptr [esp], 004F1000h
mov ebx, eax
call 00007F0C60A4F420h
sub esp, 04h
mov dword ptr [00536A54h], eax
mov dword ptr [esp+04h], 004F1013h
mov dword ptr [esp], ebx
call 00007F0C60A4F440h
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 004F1029h
mov dword ptr [esp], ebx
call 00007F0C60A4F42Bh
sub esp, 08h
mov dword ptr [004B7000h], eax
test esi, esi
je 00007F0C60A25473h
mov dword ptr [eax+eax+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x137000	0xb98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x25a206	0x27c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x139004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x137230	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb5b5c	0xb5c00	False	0.379203114254	data	6.26139811273	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0xb7000	0x39ce8	0x39e00	False	0.75697725432	data	7.53280661319	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0xf1000	0xb1d8	0xb200	False	0.318929950843	data	5.61563738189	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/4	0xfd000	0x38a80	0x38c00	False	0.180035965033	data	4.78722613482	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0x136000	0xb60	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x137000	0xb98	0xc00	False	0.4052734375	data	4.97230024056	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT	0x138000	0x18	0x200	False	0.046875	data	0.118369631259	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls	0x139000	0x20	0x200	False	0.05859375	data	0.22482003451	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/14	0x13a000	0xd8	0x200	False	0.189453125	data	1.05435750986	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/29	0x13b000	0x14e37	0x15000	False	0.38714890253	data	6.07122897105	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/41	0x150000	0x13b8	0x1400	False	0.25234375	data	4.72334895544	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/55	0x152000	0x1f23	0x2000	False	0.54150390625	data	6.21611847392	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/67	0x154000	0x38	0x200	False	0.1171875	TIM image, (3080,1028)	0.668238434502	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/80	0x155000	0x2ae	0x400	False	0.3525390625	data	3.87768624749	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/91	0x156000	0x829a	0x8400	False	0.315814393939	data	4.14712052349	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/102	0x15f000	0xcd8	0xe00	False	0.345145089286	data	3.1533400052	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReleaseSemaphore, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	_fdopen, _fstat, _lseek, _read, _strdup, _stricoll, _write
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _errno, _filbuf, _flsbuf, _fmode, _fpreset, _fullpath, _iob, _isctype, _onexit, _pctype, _setmode, abort, atexit, atoi, calloc, fclose, fflush, fopen, fputc, fputs, fread, free, fseek, ftell, fwrite, getenv, getwc, iswctype, localeconv, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, putwc, realloc, setlocale, setvbuf, signal, sprintf, strchr, strcmp, strcoll, strerror, strftime, strlen, strtod, strtoul, strxfrm, tolower, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm
USER32.dll	MessageBoxW

• hBB2KnTndI.exe
• conhost.exe
• AppLaunch.exe
• orxds.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	19:33:03
Start date:	29/05/2022
Path:	C:\Users\user\Desktop\hBB2KnTndI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hBB2KnTndI.exe"
Imagebase:	0x400000
File size:	2476494 bytes
MD5 hash:	B413FF6E943C415AFC26640FF535C724
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.259020968.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.261443990.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.274067183.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.260767513.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	19:33:03
Start date:	29/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: AppLaunch.exePID: 6060, Parent PID: 6828

General

Target ID:	5
Start time:	19:33:13
Start date:	29/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0x1270000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.263489058.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	19:33:15
Start date:	29/05/2022
Path:	C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Imagebase:	0x240000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 2%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Target ID:	8
Start time:	19:33:15
Start date:	29/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 272
Imagebase:	0xb10000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hBB2KnTndI

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_181a7760\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6957.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B7B.tmp.xml

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

Behavior

System Behavior

Windows Analysis Report
hBB2KnTndI