Loading ...

Analysis Report StnFGHUnrB.bin

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109774
Start date:11.02.2019
Start time:17:49:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:StnFGHUnrB.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Power Change
Detection:MAL
Classification:mal84.rans.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 0.4% (good quality ratio 0.4%)
  • Quality average: 66.8%
  • Quality standard deviation: 12.4%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 12
  • Number of non-executed functions: 341
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementBootkit1Process Injection1Software Packing2Credential DumpingSecurity Software Discovery2Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSystem Information Discovery22Remote ServicesData from Removable MediaExfiltration Over Other Network MediumConnection Proxy1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: StnFGHUnr.exeAvira: Label: TR/AD.Petya.Y.hhcl
Multi AV Scanner detection for submitted fileShow sources
Source: StnFGHUnr.exevirustotal: Detection: 78%Perma Link
Source: StnFGHUnr.exemetadefender: Detection: 74%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 3.0.StnFGHUnrB.exe.400000.0.unpackAvira: Label: TR/AD.Petya.Y.hhcl

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004091C2 _memset,_memset,_memset,MultiByteToWideChar,CryptQueryObject,GetLastError,CryptMsgGetParam,GetLastError,_malloc,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,CertGetNameStringW,GetLastError,__snwprintf_s,CertCloseStore,CryptMsgClose,lstrcmpA,lstrcmpA,3_2_004091C2

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004310F8 __EH_prolog3_GS,FindFirstFileA,FindFirstFileA,GetLastError,GetLastError,GetLastError,GetLastError,__CxxThrowException@8,FindNextFileA,FindNextFileA,GetLastError,GetLastError,GetLastError,3_2_004310F8
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044F799 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_wcslen,_IsRootUNCName,GetDriveTypeW,___loctotime64_t,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,3_2_0044F799

Networking:

barindex
Found Tor onion addressShow sources
Source: StnFGHUnrB.exeString found in binary or memory: http://petya5koahtsf7sv.onion/
Source: StnFGHUnrB.exeString found in binary or memory: http://petya37h5tbhyvki.onion/
Source: StnFGHUnrB.exe, 00000003.00000002.6534576105.000000000019C000.00000004.sdmpString found in binary or memory: http://petya37h5tbhyvki.onion/RoRwUg
Source: StnFGHUnrB.exe, 00000003.00000002.6534576105.000000000019C000.00000004.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUg
Source: StnFGHUnrB.exe, 00000003.00000002.6534576105.000000000019C000.00000004.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUgb9MzSZAweydftSvGCysrZuspZ79vKcTvqd2PFM2azNHrreTM6JQgb6RVh4qhGTYzrHimDRUmzykYkS6wGng9WWMpnm77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777
Source: StnFGHUnrB.exe, 00000003.00000002.6534840170.000000000040F000.00000040.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/
Source: StnFGHUnrB.exe, 00000003.00000002.6534840170.000000000040F000.00000040.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/http://petya37h5tbhyvki.onion/SeShutdownPrivilegeNtRaiseHardErrorNTDLL.DLL}
Source: StnFGHUnrB.exe, 00000003.00000002.6536064793.00000000006F0000.00000004.sdmpString found in binary or memory: http://petya37h5tbhyvki.onion/RoRwUg
Source: StnFGHUnrB.exe, 00000003.00000002.6536064793.00000000006F0000.00000004.sdmpString found in binary or memory: )5Phttp://petya37h5tbhyvki.onion/RoRwUg
Source: StnFGHUnrB.exe, 00000003.00000002.6536064793.00000000006F0000.00000004.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUgA
Source: DR0.3.drString found in binary or memory: http://petya37h5tbhyvki.onion/RoRwUg
Source: DR0.3.drString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUg
Source: DR0.3.drString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUgb9MzSZAweydftSvGCysrZuspZ79vKcTvqd2PFM2azNHrreTM6JQgb6RVh4qhGTYzrHimDRUmzykYkS6wGng9WWMpnm77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0042ADE7 __EH_prolog3_GS,InternetReadFile,GetLastError,__CxxThrowException@8,3_2_0042ADE7
Urls found in memory or binary dataShow sources
Source: StnFGHUnrB.exe, 00000003.00000002.6535127269.0000000000471000.00000002.sdmp, StnFGHUnr.exeString found in binary or memory: http://dummy.xml
Source: StnFGHUnrB.exe, StnFGHUnr.exeString found in binary or memory: http://java.sun.com
Source: StnFGHUnrB.exe, 00000003.00000002.6535127269.0000000000471000.00000002.sdmp, StnFGHUnr.exeString found in binary or memory: http://java.sun.comnot
Source: StnFGHUnrB.exeString found in binary or memory: http://petya37h5tbhyvki.onion/
Source: StnFGHUnrB.exe, 00000003.00000002.6536064793.00000000006F0000.00000004.sdmp, DR0.3.drString found in binary or memory: http://petya37h5tbhyvki.onion/RoRwUg
Source: StnFGHUnrB.exe, StnFGHUnrB.exe, 00000003.00000002.6534840170.000000000040F000.00000040.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/
Source: StnFGHUnrB.exe, 00000003.00000002.6534576105.000000000019C000.00000004.sdmp, DR0.3.drString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUg
Source: StnFGHUnrB.exe, 00000003.00000002.6536064793.00000000006F0000.00000004.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUgA
Source: StnFGHUnrB.exe, 00000003.00000002.6534576105.000000000019C000.00000004.sdmp, DR0.3.drString found in binary or memory: http://petya5koahtsf7sv.onion/RoRwUgb9MzSZAweydftSvGCysrZuspZ79vKcTvqd2PFM2azNHrreTM6JQgb6RVh4qhGTYz
Source: StnFGHUnrB.exe, 00000003.00000002.6534840170.000000000040F000.00000040.sdmpString found in binary or memory: http://petya5koahtsf7sv.onion/http://petya37h5tbhyvki.onion/SeShutdownPrivilegeNtRaiseHardErrorNTDLL
Source: StnFGHUnrB.exe, StnFGHUnr.exeString found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: StnFGHUnrB.exe, StnFGHUnr.exeString found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: StnFGHUnrB.exe, 00000003.00000002.6535127269.0000000000471000.00000002.sdmp, StnFGHUnr.exeString found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: StnFGHUnrB.exe, StnFGHUnrB.exe, 00000003.00000002.6536096581.00000000006F8000.00000004.sdmp, DR0.3.drString found in binary or memory: https://www.torproject.org/

System Summary:

barindex
Performs an instant shutdown (NtRaiseHardError)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeHard error raised: shutdownJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040EB4A3_2_0040EB4A
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044A0443_2_0044A044
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004461363_2_00446136
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0041029F3_2_0041029F
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004103E33_2_004103E3
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0041644F3_2_0041644F
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0041640B3_2_0041640B
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044A4163_2_0044A416
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0042E4293_2_0042E429
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004164CB3_2_004164CB
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0041648B3_2_0041648B
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004104BF3_2_004104BF
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044A7FE3_2_0044A7FE
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004148F13_2_004148F1
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004148B53_2_004148B5
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040E8BA3_2_0040E8BA
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004629673_2_00462967
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040E9DA3_2_0040E9DA
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040E9B23_2_0040E9B2
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00414A083_2_00414A08
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00414A803_2_00414A80
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00464B993_2_00464B99
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040EC973_2_0040EC97
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040ED443_2_0040ED44
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040ED333_2_0040ED33
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00446E673_2_00446E67
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044AE303_2_0044AE30
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040EE8D3_2_0040EE8D
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00462EB83_2_00462EB8
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040EF293_2_0040EF29
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040F0083_2_0040F008
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040F0283_2_0040F028
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004131FF3_2_004131FF
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004472793_2_00447279
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040F23B3_2_0040F23B
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004153093_2_00415309
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004634093_2_00463409
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0045541F3_2_0045541F
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004475033_2_00447503
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004155C23_2_004155C2
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004498113_2_00449811
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004459493_2_00445949
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004159993_2_00415999
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00415ACC3_2_00415ACC
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00459B2E3_2_00459B2E
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00415C1E3_2_00415C1E
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040FCC53_2_0040FCC5
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00449CA63_2_00449CA6
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040FE503_2_0040FE50
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00463E613_2_00463E61
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040FED33_2_0040FED3
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 004035D3 appears 39 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00451061 appears 47 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00450FF2 appears 211 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00402559 appears 93 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00401685 appears 38 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00403182 appears 49 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00450F89 appears 177 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 0044ADA0 appears 53 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00447EB1 appears 36 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 004547C0 appears 55 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00448F1C appears 56 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 004016C6 appears 31 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 004055E5 appears 203 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00451028 appears 37 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00424259 appears 44 times
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: String function: 00450FBC appears 94 times
PE file contains strange resourcesShow sources
Source: StnFGHUnr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal84.rans.evad.winEXE@1/1@0/0
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0041C30A __EH_prolog3_GS,CoCreateInstance,OleRun,OleSetContainedObject,3_2_0041C30A
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00406B12 __EH_prolog3_catch,lstrlenW,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,3_2_00406B12
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: kernel323_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: WinMain3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: setconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: getconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: UnregServer3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: RegServer3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: auto3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: auto3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: scheduled3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: scheduled3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: pending3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: pending3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: critical3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: critical3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: test3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: test3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: setconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: setconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: setconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: getconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: getconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: getconfig=3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: %ld3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: WinMain3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: @MFu3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: Method3_2_004081E0
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCommand line argument: Method3_2_004081E0
PE file has an executable .text section and no other executable sectionShow sources
Source: StnFGHUnr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: StnFGHUnr.exevirustotal: Detection: 78%
Source: StnFGHUnr.exemetadefender: Detection: 74%
Sample might require command line arguments (.Net)Show sources
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateChecker.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/JavaEnvironment.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/MutexImpl.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/windows/WinAutoHandle.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Browsers.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/share/Mutex.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/DownloadManager.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Executor.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserExternal.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/ConditionalImpl.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/AllUtils.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/windows/WinErrorHandling.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateCommon.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Registry.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/NetUtils.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Locales.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/MsiUtils.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/UIThread.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/FileUtils.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/SysInfo.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/ComUtils.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserControl.cpp
Source: StnFGHUnrB.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateManager.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateManager.cpp
Source: StnFGHUnr.exeString found in binary or memory: MGtMGhMG\MGTMGPMGDMG<MG0MG(MGSoftware\JreMetricsJreVersionDowngrade scenario detected, Update Version: Highest Version: Latest Secure Version: CUpdateManager::WillAllowUpdated:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateManager.cppCUpdateManager::CheckXmlFilesUser Action on Pending Update, Time to Re-check Update XML files
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateChecker.cpp
Source: StnFGHUnr.exeString found in binary or memory: ModuleModule_RawREGISTRYkernel32SetDefaultDllDirectoriesCould not initialize common controls!WinMaind:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateChecker.cpp-/UnregServerRegServerautojauscheduledpendingcriticaltestsetconfig=setconfig error: getconfig=%ld%sgetconfig error: getconfig error - incorrect version: SunJavaUpdateCheckerMutexMethodAPPIDx
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/DownloadManager.cpp
Source: StnFGHUnr.exeString found in binary or memory: F(null)PreDownldStatusuaDownload Status: Download CompleteDownload Status: Verification of Downloaded File Signature FailedDownload Status: Verification of Downloaded File Version FailedDownload Status: Download Failed\Verify publisher of "%s" file...CDownloadManager::VerifyExecInstallerPublisherd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/DownloadManager.cppCould not obtain CryptQueryObject%s failed with %sCould not obtain CryptMsgGetParamCryptMsgGetParamCertFindCertificateInStoreCould not retrieve Signer's simple name%lsOracle America, Inc.Sun Microsystems, Inc.Signer is neither Oracle nor SunMSI is valid fileDownloading fileLocalFileNameDownload Status: Verification of Installer failedDownloading Java Update files failed, rc is CDownloadManager::DownloadFilesDownload Status: Bef Stage2 PreDL"%s" -download%s %sDownload Status: Stage2 PreDL SuccessDownload Status: Stage2 PreDL FailedCDownloadManager::DownloadFiledownloading cancelled by userCDownloadManager::Downlo
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/SystemTray.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateCommon.cpp
Source: StnFGHUnr.exeString found in binary or memory: @CSystemTray::NotifyShelld:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/SystemTray.cppDllGetVersionshell32.dll*dummyCallLog.txt<?xml version="1.0" encoding="UTF-8"?>
Source: StnFGHUnr.exeString found in binary or memory: </autoupdate-request>AU2CLIENTLogging SendDummyCalld:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateCommon.cppError occurred: not allowed URL: GetXmlFilejupdate,-sp-sp0TestModeFailed to Open Test ConfigFile=
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateConf.cpp
Source: StnFGHUnr.exeString found in binary or memory: SetJavaUpdateStringKey was called with a NULL value for the key, so defaulting to trying jucheck keySetJavaUpdateDwordKey was called with a NULL for key, so trying jucheck locationUpdateTestFlagInstallOptionsUpdateDescriptionUpdateTitle1UpdateTitle2UpdateMoreInfoUrlBalloonTitleBalloonTipDlgCaptionMoreInfoTxtPreDownldUrlInfoNumTriesLastUDCheckTimeVersionXmlChecksumSunJavaUpdateShutdownEventInstallStatusNo pings: unallowed url: SendHeadRequestd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/jucheck/UpdateConf.cpp<?xml version="1.0" encoding="UTF-8"?> <request> 1.0sc_xml_versuninstallstatsuninstallstatdevsunjfxinstallstatdevreportsuiteidvisitoridprop21https://https://sjremetrics.java.com%xnonprodpasswdprop20nonhttpspasswdpagenameevar2NAevar3evar15i586evar4evar5evar6evar7evar8event6,event7eventsreinstallNo pings: reinstallexistsdeclineevar17evar18evar19No pings: decline;jre|%dproductskicevent11event1event2_%d%devar9evar10nbdevar11nbi</request>?jupdate_%xPing Values: request#$LogHea
Source: StnFGHUnr.exeString found in binary or memory: /installmethod=
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/wrappers/common/UpdateUtils.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/JavaScrub/SecurityBaselines.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/common/au/config.cpp
Source: StnFGHUnr.exeString found in binary or memory: enjava-updateinformationxml:lang1.1descriptionfrom8titlemoreinfotxtcaptionmoreinfooptionspost-statusAlertTextAlertTitleurlinfo256predownloadOriginal options element: %s /installmethod=Final options element: %sallError reading cached update information from the registry.
Source: StnFGHUnr.exeString found in binary or memory: <!----><!<??>&amp;&lt;&gt;&apos;&quote;0123456789abcdefError opening file "%s"getCheckSumd:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u73\6086\install\src\windows\wrappers\common\UpdateUtils.hppCryptAcquireContextCryptCreateHashCryptHashDataCryptGetHashParamChecksum verification for "%s" file failed: expected=[%s]; actual=[%s]; algorithm=%d.verifyCheckSumhttp://file://jucheckCOUNTRYGetCountryd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/wrappers/common/UpdateUtils.cpp'Invalid country value : ' after GetCountry()Save Country Code Country Code deletedVerify integrity of "%s" file from "%s"...CheckFileIntegrityIntegrity verification failed for "%s"jscrub::`anonymous-namespace'::downloadBaselinesFiled:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/JavaScrub/SecurityBaselines.cpphttps://www.java.com/applet/javaLatestVersion.xmlJavaScrubjscrub::`anonymous-namespace'::verifyEqualsExpected family: ; given version: /jreVersions/familyiddefaultjscrub::SecurityB
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/common/au/jcp.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/common/au/RegData.cpp
Source: StnFGHUnr.exeString found in binary or memory: lA%I64denabledSystemenabledUserfrequencymonthlyweeklydailydayhournotifyTypebeforeDownloadbeforeInstallmanualEnabledcorporateOverridelastUpdate:;%lldparsing errorparsing error (range)set config: au::jcp::applyJCPConfigd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/common/au/jcp.cpp(montly) day is not specified(weekly) day is not specifiedunexpected frequency valuesetconfig (schedule) failed: unrecognized notifyType value:setconfig (notifyType) failed: setconfig (enabled) failed: get config: au::jcp::getJCPConfigunsupported version: SOFTWARE\JavaSoftunknown encryptionTypegetValue(DWORD) failed: au::RegData::getValued:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/au/common/au/RegData.cppgetValue(String) failed: setValue(DWORD) failed: au::RegData::setValuesetValue(String) failed: deleteValue failed: au::RegData::deleteValueunknown reg location%I64uencryption failed, sysError=decryption failed, sysError=decrypted data has wrong sizebinary2string (ph
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/Dialog.cpp
Source: StnFGHUnr.exeString found in binary or memory: A/res://%5C%20cancelnextbackasizecloseButtonsetWindowProp(Title): requires 1 paramsui::Dialog::setWindowPropd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/Dialog.cppsetWindowProp(Title): %ssetWindowProp(Size): requires 2 paramssetWindowProp(Size): %d x %dsetWindowProp(closeButton): requires 1 paramssetWindowProp(closeButton): %dsetWindowProp: unexpected prop: '%s'&&quot;"<>\n\r
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserWindow.cpp
Source: StnFGHUnr.exeString found in binary or memory: ASunAwtDialogRegisterClassui::BrowserWindow::created:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserWindow.cppCreateWindowCreateWindow failedsystemDPI: [, ] scaled [ to [ui::BrowserWindow::scale2systemDPIAdjustWindowRectExui::BrowserWindow::clientSize2windowSizeAdjustWindowRectEx errorbrowser control does not existui::BrowserWindow::staticWndProc
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/UIThread.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common\Dll.h
Source: StnFGHUnr.exeString found in binary or memory: Ano parameter at the given positionSetProcessDPIAwareuser32ui::`anonymous-namespace'::initDPIAwared:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/UIThread.cppSystem errorSetProcessDPIAware failedSetProcessDPIAware succeededUI thread failireCreateControlWindowui::UIThread::ThreadImpl::runUIThread exception: MessageLoop::GetMessageui::UIThread::ThreadImpl::runMessageLoopAction thrown an exception: ui::UIThread::ThreadImpl::wndProcNULL actionaction failedDllFunction<int (__cdecl*)(void)>::operator int (__cdecl *)(void)d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common\Dll.h() function is not available in
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserControl.cpp
Source: StnFGHUnr.exeString found in binary or memory: @IDispatch error #%dUnknown error 0x%0lXCreateInstanceui::BrowserControl::createControld:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserControl.cppwebBrowser -> OleObjectOleObject->SetClientSitecontainerObjcontainerAppOleSetContainedObjectviewObject->SetAdviseDoVerb(OLEIVERB_INPLACEACTIVATE)cannot get CP containerui::BrowserControl::adviseBrowserFindConnectionPointAdviseUnadviseBrowserControl::createControl failedui::BrowserControl::createSetObjectRectsui::BrowserControl::setRectcannot get OleObjectui::BrowserControl::setFocusDoVerb(OLEIVERB_UIACTIVATE)Navigateui::BrowserControl::openUrlwebBrowser->Navigate failedobject is not createdwebBrowser->getDocument(Disp)ui::BrowserControl::execJScriptUnsafewebBrowser->getDocument(HTMLDoc)doc->getScript()evalscript->getIDsOfNamesscript->InvokeJScript execution errorOleWindow(GetWindow)ui::BrowserControl::getObjectWndEMPTYNULL(extractParam[]) COM Error: ui::`anonymous-namespace'::getParamString<unknown>DISPID_HTMLWINDO
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserExternal.cpp
Source: StnFGHUnr.exeString found in binary or memory: delaysetWindowProplognotifygetLocaleui::BrowserControl::BrowserExternal::GetIDsOfNamesd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/html_ui/engine/BrowserExternal.cpp((external) unknown method called: )ui::BrowserControl::BrowserExternal::InvokeTRACEINFOWARNINGERRORempty messageui::BrowserControl::BrowserExternal::logexternal.notify: no parameters specifiedexternal.setWindowProp: no parameters specifiedcannot get parameter value (): ui::BrowserControl::BrowserExternal::delay0123456789abcdefABCDEF
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Registry.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/share/tstrings.cpp
Source: StnFGHUnr.exeString found in binary or memory: A.\3264Registry::opend:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Registry.cppopen keyRegistry::getDwordwrong typequery dword valuewrong sizeRegistry::getStringquery string valueRegistry::getBinaryquery binary valueRegistry::getValuequery valueREG_NONEREG_SZREG_EXPAND_SZREG_BINARYREG_DWORDREG_DWORD_BIG_ENDIANREG_LINKREG_MULTI_SZREG_RESOURCE_LISTREG_FULL_RESOURCE_DESCRIPTORREG_RESOURCE_REQUIREMENTS_LISTREG_QWORDUnknown[...]; length=Registry::setDwordset dword valueRegistry::setStringset string valueRegistry::setBinaryset binary valuelength=Registry::deleteValuedelete valueDeleted [] value () error: d:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u73\6086\install\src\windows\common\Dll.hSet []=[%04u/%02u/%02u %02u:%02u:%02u.%03u, %s (PID: %u, TID: %u), %s:%u (%s)]
Source: StnFGHUnr.exeString found in binary or memory: jusched.logUNKNOWNNo description availablesystem error COM error 0x%08X (%s)Entering Exiting (entered at tstrings::formatd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/share/tstrings.cppDestination buffer can't be NULLtstrings::toUtf8Unexpected reply from WideCharToMultiByte()tstrings::toUtf16Unexpected reply from MultiByteToWideChar()d$H
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/share/JavaVersion.cpp
Source: StnFGHUnr.exeString found in binary or memory: @_--b-++JavaVersionDetails::`anonymous-namespace'::parsed:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/share/JavaVersion.cppInsufficient size of destination buffer[%d < %d] failedJavaVersionDetails::Base::throwUnrecognizedVersionTypeunknown version tagSpecializedVersion<struct JavaVersionDetails::BaseLegacy>::SpecializedVersion is not recognized as a legacy Java version stringX%H
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/JavaEnvironment.cpp
Source: StnFGHUnr.exeString found in binary or memory: @`anonymous-namespace'::getArchd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/JavaEnvironment.cppUnknown bits value: `anonymous-namespace'::getTypeUnknown Java installation type: Registry key [] exists in both 32bit and 64bit HKLM registry hives. Use from 64bit hive.`anonymous-namespace'::getRegKeyRegistry key '' not found in none of HKLM hives`anonymous-namespace'::getMsiPropertySOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Detect arch of Java installation`anonymous-namespace'::detectBitsDetect type of `anonymous-namespace'::detectTypeProductNameJava SE Development KitFind home dir of `anonymous-namespace'::detectHomeDirInstallLocationUnexpected empty value of [] product property of Java installation. Fall back to heuristic home directory detection.Try home directory from [ProductIcon Java installation.DisplayIcon] registry value of ReadmeJavaHomedetectFullVersionFromMsi(`anonymous-namespace'::detectFullVersionFromMsiFullVersionJDK_VERSIONGiven version is []; Val
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/AllUtils.cpp
Source: StnFGHUnr.exeString found in binary or memory: BGetSystemDirectory failed. Return Code: %d, ErrorCode: %dJRE_System_LoadLibraryd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/AllUtils.cpp%s\%s_snprintf failed. ErrorCode: %dLoadLibrary(%s) failed. ErrorCode: %dlogit</<l></l>
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/NetUtils.cpp
Source: StnFGHUnr.exeString found in binary or memory: B`\/Exception with message '' caughtUnknown exception caught(): ) at ;.,:!?. GETPOSTHEADjava_installerHttpConnection::connect(url=HttpConnection::connectd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/NetUtils.cppInternetCrackUrl failedInvalid schemeHttp is disabledInternetOpen failedInternetConnect failed*/*HttpOpenRequest failedHttpSendRequest failedcannot get response status codeExport DeniedHttpConnection::connect succeeded, size: bytes) returned unexpected size: getHeaderValue(HttpConnection::Response::getIntHeaderValue, name=wininetCannot get header value (HttpConnection::Response::getHeaderValueHttpConnection::Response::readContentInternetReadFile failed.tmpjdsHttpConnection::Response::saveToBufferHttp error, status: MB), size is Content size exceeds maximum size (unknownhttp://java.sun.comnot connected: NetUtils::isConnectedsun.comjava.comoracle.com
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/SysInfo.cpp
Source: StnFGHUnr.exeString found in binary or memory: BRtlGetVersionntdll() failed: `anonymous-namespace'::initWithRtlGetVersiond:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/SysInfo.cpp is not availableGetVersionExWKernel32`anonymous-namespace'::initWithGetVersionExGetVersionExW()IsWow64ProcessSysInfo::isWow64fnIsWow64Process() failedwin32win2003winxpwinlongwinvistawin2008R2win7win2012win8win2012R2win81.amd64SysInfo::getProcessModulePathGetModuleFileName(NULL) failedGetSystemDirectoryGetWindowsDirectorySysInfo::SHGetFolderPathAdapterSHGetFolderPath(0x, mode=DllFunction<long (__stdcall*)(struct _OSVERSIONINFOEXW *)>::operator long (__stdcall *)(struct _OSVERSIONINFOEXW *)DllFunction<int (__stdcall*)(struct _OSVERSIONINFOEXW *)>::operator int (__stdcall *)(struct _OSVERSIONINFOEXW *)DllFunction<int (__stdcall*)(void *,int *)>::operator int (__stdcall *)(void *,int *)SysInfo::`anonymous-namespace'::getSystemDirImpl failedUnexpected reply from
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Resources.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/windows/WinAutoHandle.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Executor.cpp
Source: StnFGHUnr.exeString found in binary or memory: B')', type=' (name='Resource::getPtrd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Resources.cppcannot find resourcecannot load resourceStringResource::stringCloseHandle(closeHANDLEd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/windows/WinAutoHandle.cppInternetCloseHandle(closeInternetHandleRegCloseKey(closeRegHandle Executor: applicationPath is emptyExecutor::Executord:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Executor.cppapplicationPath is emptyExecutor.exec(): CreateProcessExecutor::execExecutor.exec(): Executor::startExecutionExecutor.finishExecution()Executor::finishExecutionExecutor.finishExecution(): WaitForSingleObject exited with code Executor.finishExecution(): The timeout is elapsed. Terminating Process.Executor.finishExecution(): GetExitCodeProcess()Executor.finishExecution(): ExitCode = Executor.finishExecution(): Process execution Create pipe SUCCESSExecutor::createPipeCreate pipe FAIL
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Locales.cpp
Source: StnFGHUnr.exeString found in binary or memory: Dzh_CNzhzh_TWdeesfritjakopt_BRsvd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Locales.cppGetThreadPreferredUILanguagesPreferredUILanguages: XP fallbackLocale::preferredLanguagesPreferredUILanguages: Vista+GetThreadPreferredUILanguages (detect size) failedGetThreadPreferredUILanguages (get values) failedCannot get langID: DllFunction<int (__stdcall*)(unsigned long,unsigned long *,wchar_t *,unsigned long *)>::operator int (__stdcall *)(unsigned long,unsigned long *,wchar_t *,unsigned long *)
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/FileUtils.cpp
Source: StnFGHUnr.exeString found in binary or memory: B<>:"|?*/\d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/FileUtils.cpp) failedCreated [] fileFileUtils::`anonymous-namespace'::createNewFileFileUtils::createTempFileIllegal characters in prefix=Illegal characters in suffix=cannot create temp file] directoryFileUtils::createDirectoryCreateDirectory(] file to [FileUtils::`anonymous-namespace'::moveFileImplMoveFileEx(MoveMoved [ on rebootFileUtils::deleteFileDeleteFile(FileUtils::deleteDirectoryRemoveDirectory(deleteDirectory(FileUtils::`anonymous-namespace'::BatchDeleter::executeFileUtils::iterateDirectoryFindFirstFile(..FindNextFile(FileUtils::getFileVersionGetFileVersionInfoSize(GetFileVersionInfo(\VerQueryValueW() returned unexpected buffer size.h,H8
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/ComUtils.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/xml.cpp
Source: StnFGHUnr.exeString found in binary or memory: CCoInitialize failed with ComInitializer::ComInitializerd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/ComUtils.cppOleInitialize failed with OleInitializer::OleInitializer - _com_error [0x] '; xml::`anonymous-namespace'::checkParseErrorsd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/xml.cppxml parse error at line , pos xml::Element::textxml::Element::selectElementsselectElements(xml::Element::selectElementIfExistselectElementIfExist(xml::Element::loadInvalid argumentXPathSelectionLanguageSHCreateMemStream() failed
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Browsers.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/share/Mutex.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/ConditionalImpl.cpp
Source: StnFGHUnr.exeString found in binary or memory: Software\Clients\StartMenuInternetIEXPLORE.EXEFIREFOX.EXEGoogle Chrome.htmlbrowsers::getDefaultBrowserPathd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Browsers.cppcannot find the default browserlaunchDefault(browsers::launchDefaultd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/share/Mutex.cppimplipc::Mutex::~Mutexd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/share/Mutex.cpptid = Thread::getCurrent().getId()Thread::getCurrent().getId() == tid&state == m.state0ipc::Mutex::Lock::~LockThread::getCurrent().getId() == l.tid&l.state == l.m.stateipc::Mutex::Unlock::~Unlockipc erroripc::Conditional::Impl::waitd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/ConditionalImpl.cppd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/ConditionalImpl.cppw->eventipc::Conditional::Impl::notify\-HW
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/windows/WinErrorHandling.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/ThreadImpl.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Dll.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/share/Version.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/MsiUtils.cpp
Source: StnFGHUnr.exeString found in binary or memory: @Some errorGetModuleHandleEx() failed for address.`anonymous-namespace'::makeMessaged:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/windows/WinErrorHandling.cppipc::`anonymous-namespace'::ThreadFunctiond:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/ThreadImpl.cppipc::Thread::startipc::Thread::join`anonymous-namespace'::loadLibraryd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Dll.cppLoadLibraryW(Dll::DllGetModuleHandleExW(Dll::getFunctionGetProcAddress(VersionDetails::Parser::operator ()d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/common/share/Version.cppDestination buffer can't be empty < ] failedVersionDetails::parseComponentFailed to recognize version component in [""msi::`anonymous-namespace'::CallbackTrigger::adapterd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/MsiUtils.cppMsiGetProductInfomsi::`anonymous-namespace'::openDatabaseMsiOpen
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Bundle.cpp
Source: StnFGHUnr.exeString found in binary or memory: BSoftware\JavaSoft\Java Runtime EnvironmentSoftware\JavaSoft\Java Development KitBundle::throwUnexpectedTyped:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Bundle.cppUnexpected type of `anonymous-namespace'::getRootKeyUnexpected bundle arch: Product with ProductCode=[] is tracked multiple timesGroupTracker<class KnownProductCodeInstalledJavaTracker,class Jep223UpgradeCodeInstalledJavaTracker>::nextd:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u73\6086\install\src\windows\common\InstalledJavaTracker.h|/HGkC
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Guid.cpp
Source: StnFGHUnr.exeString found in binary or memory: lC`anonymous-namespace'::initGuidd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Guid.cppIIDFromString(}{Guid::toStringStringFromGUID2() failedImplementation-Versionjavac.exe./
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/MutexImpl.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/Util.cpp
Source: StnFGHUnr.exeString found in binary or memory: Dipc::Mutex::created:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/MutexImpl.cppd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/MutexImpl.cppipc::Mutex::destroyipc::Mutex::releaseipc::waitForSingleObjectd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/Util.cppl0HW
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/HighResolutionTimerImpl.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/KnownProductCodeInstalledJavaTracker.cpp
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/Jep223UpgradeCodeInstalledJavaTracker.cpp
Source: StnFGHUnr.exeString found in binary or memory: @ipc::`anonymous-namespace'::perfFrequencyd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/ipc/windows/HighResolutionTimerImpl.cppipc::`anonymous-namespace'::perfCounterABCDEF1234567890{1111706F-666A-4037-7777-MNOO06464D10}{1111706F-666A-4037-7777-MNOO03264D10}{1111706F-666A-4037-7777-MNO648764D10}{1111706F-666A-4037-7777-MNO328764D10}{26A24AE4-039D-4CA4-87B4-2F64MNOUUUXX}{26A24AE4-039D-4CA4-87B4-2F32MNOUUUXX}{26A24AE4-039D-4CA4-87B4-2FX64MNOUUXX}{26A24AE4-039D-4CA4-87B4-2FX32MNOUUXX}{6448F0A8-6813-11D6-A77B-00B0D0MNOUUX}{3248F0A8-6813-11D6-A77B-00B0D0MNOUUX}{64A3A4F4-B792-11D6-A78A-00B0D0MNOXXX}{32A3A4F4-B792-11D6-A78A-00B0D0MNOXXX}{64A3A4F4-B792-11D6-A78A-00B0D015OUUX}{32A3A4F4-B792-11D6-A78A-00B0D015OUUX}{35A3A4F4-B792-11D6-A78A-00B0D0142UUX}{7148F0A8-6813-11D6-A77B-00B0D0142UUX}KnownProductCodeInstalledJavaTracker::matchd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/KnownProductCodeInstalledJavaTracker.cppKnownProductCodeInstalledJavaTracker::nex
Source: StnFGHUnr.exeString found in binary or memory: d:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/unzip/unzip.cpp
Source: StnFGHUnr.exeString found in binary or memory: DcreateFileProxyd:/re/workspace/8-2-build-windows-i586-cygwin/jdk8u73/6086/install/src/windows/common/unzip/unzip.cpp`anonymous-namespace'::ZipFileEntry::ZipFileEntryZIP_FindEntry(`anonymous-namespace'::ZipFileEntry::verifyCan't use ZipFileEntry instance if relase() was called`anonymous-namespace'::extractEntryInMemory::operator ()ZIP_ReadEntry(ZipFile::ZipFileZIP_Open() failed. Error: ZipFile::extractEntryAsUtf8StringZip entry from archive is too large to be extracted into memoryUnexpected empty name of zip entry archive is a directory and can't be extracted into memoryMETA-INF/invalid END header (bad central directory size)invalid END header (bad central directory offset)invalid CEN header (bad signature)invalid CEN header (encrypted entry)invalid CEN header (bad compression method)invalid CEN header (bad header size)zip file name too longzip file is emptyZip file open errorerror reading zip fileinvalid LOC header (bad signature)ZIP_Read: specified offset out of rangeZIP_Read: corrupt zip file: invalid en
PE file contains a valid data directory to section mappingShow sources
Source: StnFGHUnr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: StnFGHUnr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: StnFGHUnr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: StnFGHUnr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: StnFGHUnr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeUnpacked PE file: 3.2.StnFGHUnrB.exe.510000.1.unpack
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00454805 push ecx; ret 3_2_00454818
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00451061 push ecx; ret 3_2_00451074
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.89149608953

Persistence and Installation Behavior:

barindex
Infects the boot sector of the hard diskShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Writes directly to the primary disk partition (DR0)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 8192Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512Jump to behavior

Boot Survival:

barindex
Infects the boot sector of the hard diskShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile written: \Device\Harddisk0\DR0 offset: 0Jump to behavior

Malware Analysis System Evasion:

barindex
Found evaded block containing many API callsShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeEvaded block: after key decisiongraph_3-54009
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeAPI coverage: 4.1 %
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeFile opened: PhysicalDrive0Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004310F8 __EH_prolog3_GS,FindFirstFileA,FindFirstFileA,GetLastError,GetLastError,GetLastError,GetLastError,__CxxThrowException@8,FindNextFileA,FindNextFileA,GetLastError,GetLastError,GetLastError,3_2_004310F8
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044F799 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_wcslen,_IsRootUNCName,GetDriveTypeW,___loctotime64_t,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,3_2_0044F799
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044B3E6 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,3_2_0044B3E6
Program exit pointsShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeAPI call chain: ExitProcess graph end nodegraph_3-54156

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00448F27 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00448F27
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044B3E6 VirtualProtect ?,-00000001,00000104,?3_2_0044B3E6
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040F23B mov eax, dword ptr fs:[00000030h]3_2_0040F23B
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0045A340 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,3_2_0045A340
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004590F4 SetUnhandledExceptionFilter,3_2_004590F4
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00448F27 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00448F27
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_004537D8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004537D8

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0040A749 CreateEventA,CreateEventA,CreateEventA,CreateEventA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventA,ResetEvent,ResetEvent,ResetEvent,ResetEvent,CreateThread,CloseHandle,WaitForSingleObject,ResetEvent,LoadStringA,LoadStringA,LoadStringA,3_2_0040A749
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: StnFGHUnrB.exe, 00000003.00000002.6536304981.0000000000E80000.00000002.sdmpBinary or memory string: Program Manager
Source: StnFGHUnrB.exe, 00000003.00000002.6536304981.0000000000E80000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: StnFGHUnrB.exe, 00000003.00000002.6536304981.0000000000E80000.00000002.sdmpBinary or memory string: Progman
Source: StnFGHUnrB.exe, 00000003.00000002.6536304981.0000000000E80000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement,3_2_00450721
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,3_2_0045EA68
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,GetLocaleInfoW,3_2_00456C10
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,3_2_00460CBB
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,3_2_0045ED59
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_00460D95
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0045F188
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,3_2_0045F27D
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: GetLocaleInfoA,3_2_0045336D
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,3_2_0045F37F
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,3_2_0045F324
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,3_2_0045F550
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_0045F677
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_0045F610
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,3_2_0045F6B3
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___ge3_2_0045DE0C
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_0044C77E GetSystemTimeAsFileTime,__aulldiv,3_2_0044C77E
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeCode function: 3_2_00457596 __lock,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,3_2_00457596
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\StnFGHUnrB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 109774 Sample: StnFGHUnrB.bin Startdate: 11/02/2019 Architecture: WINDOWS Score: 84 11 Antivirus detection for submitted file 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Found Tor onion address 2->15 17 Antivirus detection for unpacked file 2->17 5 StnFGHUnrB.exe 2->5         started        process3 file4 9 \Device\Harddisk0\DR0, 777 5->9 dropped 19 Detected unpacking (creates a PE file in dynamic memory) 5->19 21 Writes directly to the primary disk partition (DR0) 5->21 23 Performs an instant shutdown (NtRaiseHardError) 5->23 25 Infects the boot sector of the hard disk 5->25 signatures5

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
StnFGHUnr.exe79%virustotalBrowse
StnFGHUnr.exe77%metadefenderBrowse
StnFGHUnr.exe100%AviraTR/AD.Petya.Y.hhcl

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.StnFGHUnrB.exe.510000.1.unpack100%AviraHEUR/AGEN.1010372Download File
3.1.StnFGHUnrB.exe.400000.0.unpack100%AviraHEUR/AGEN.1001913Download File
3.2.StnFGHUnrB.exe.400000.0.unpack100%AviraHEUR/AGEN.1001913Download File
3.0.StnFGHUnrB.exe.400000.0.unpack100%AviraTR/AD.Petya.Y.hhclDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLinkDownload
http://petya5koahtsf7sv.onion/0%Avira URL CloudsafeDownload File
http://petya37h5tbhyvki.onion/RoRwUg0%Avira URL CloudsafeDownload File
http://java.sun.comnot0%Avira URL CloudsafeDownload File
http://petya5koahtsf7sv.onion/RoRwUg0%Avira URL CloudsafeDownload File
http://petya5koahtsf7sv.onion/RoRwUgA0%Avira URL CloudsafeDownload File
http://petya5koahtsf7sv.onion/http://petya37h5tbhyvki.onion/SeShutdownPrivilegeNtRaiseHardErrorNTDLL0%Avira URL CloudsafeDownload File
http://petya37h5tbhyvki.onion/0%Avira URL CloudsafeDownload File
http://petya5koahtsf7sv.onion/RoRwUgb9MzSZAweydftSvGCysrZuspZ79vKcTvqd2PFM2azNHrreTM6JQgb6RVh4qhGTYz0%Avira URL CloudsafeDownload File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.