Loading ...

Analysis Report byc.png.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109775
Start date:11.02.2019
Start time:17:49:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 58s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:byc.png.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal96.troj.spyw.evad.winEXE@9/4@2/2
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: byc.png.exe, byc.png.exe, Javas.exe, Javas.exe, Javas.exe, Javas.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold960 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementRegistry Run Keys / Start Folder1Process Injection111Masquerading1Input Capture111Process Discovery1Application Deployment SoftwareInput Capture111Data CompressedStandard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Credentials in Registry1Security Software Discovery31Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection111Credentials in Files1Remote System Discovery1Windows Remote ManagementClipboard Data1Automated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSystem Network Configuration Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery112Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exevirustotal: Detection: 25%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: byc.png.exevirustotal: Detection: 25%Perma Link

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 52.202.139.131 52.202.139.131
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: Javas.exe, 0000000A.00000002.6036946182.0000000000B38000.00000004.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: Javas.exe, 0000000A.00000002.6036946182.0000000000B38000.00000004.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows equals www.hotmail.com (Hotmail)
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: }qGFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: }qGFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 3658Z equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: checkip.amazonaws.com
Urls found in memory or binary dataShow sources
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://checkip.amazonaws.com
Source: Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://checkip.amazonaws.com/
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://checkip.amazonaws.comx&
Source: Javas.exe, 0000000A.00000002.6036946182.0000000000B38000.00000004.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/
Source: Javas.exe, 0000000A.00000002.6036946182.0000000000B38000.00000004.sdmp, Javas.exe, 0000000A.00000003.5434890832.0000000000B38000.00000004.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp8Z
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/D
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/P
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/D
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpString found in binary or memory: http://www.msn.com/de-ch/P

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hookShow sources
Source: C:\Users\user\Desktop\byc.png.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\byc.png.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Javas\Javas.exeJump to behavior
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: byc.png.exe, 00000001.00000002.4803210091.000000000080B000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\byc.png.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\byc.png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: byc.png.exe, 00000001.00000002.4815904599.0000000003C62000.00000004.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs byc.png.exe
Source: byc.png.exe, 00000001.00000002.4815904599.0000000003C62000.00000004.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs byc.png.exe
Source: byc.png.exe, 00000001.00000002.4815904599.0000000003C62000.00000004.sdmpBinary or memory string: OriginalFilenameRLHVAFRPABBYUGNAAAFKMWSZSFUDDETQDBYYFUNH_20190211050224017.exe4 vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6028193094.0000000005740000.00000002.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6028263025.0000000005750000.00000002.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6029979277.0000000005E80000.00000002.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6030794195.0000000006100000.00000002.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6030613835.0000000006090000.00000002.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6030556540.0000000006080000.00000002.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6030757194.00000000060F0000.00000002.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6030210955.0000000005EE0000.00000004.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: OriginalFilename vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: }qU,\\StringFileInfo\\040904B0\\OriginalFilenameP vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6019307135.0000000000402000.00000040.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs byc.png.exe
Source: byc.png.exe, 00000004.00000002.6019307135.0000000000402000.00000040.sdmpBinary or memory string: OriginalFilenameRLHVAFRPABBYUGNAAAFKMWSZSFUDDETQDBYYFUNH_20190211050224017.exe4 vs byc.png.exe
Source: byc.png.exeBinary or memory string: OriginalFilenamebyc.exe8 vs byc.png.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\byc.png.exeFile read: C:\Users\user\Desktop\byc.png.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: wow64log.dllJump to behavior
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: byc.png.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Javas.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@9/4@2/2
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\byc.png.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\byc.png.exe.logJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: byc.png.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\byc.png.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\byc.png.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\byc.png.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: byc.png.exevirustotal: Detection: 25%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\byc.png.exe 'C:\Users\user\Desktop\byc.png.exe'
Source: unknownProcess created: C:\Users\user\Desktop\byc.png.exe C:\Users\user\Desktop\byc.png.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe 'C:\Users\user\AppData\Roaming\Javas\Javas.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe C:\Users\user\AppData\Roaming\Javas\Javas.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe 'C:\Users\user\AppData\Roaming\Javas\Javas.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe C:\Users\user\AppData\Roaming\Javas\Javas.exe
Source: C:\Users\user\Desktop\byc.png.exeProcess created: C:\Users\user\Desktop\byc.png.exe C:\Users\user\Desktop\byc.png.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe C:\Users\user\AppData\Roaming\Javas\Javas.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe C:\Users\user\AppData\Roaming\Javas\Javas.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\byc.png.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\byc.png.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\byc.png.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: byc.png.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\byc.png.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: byc.png.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: byc.png.exe, 00000001.00000002.4815904599.0000000003C62000.00000004.sdmp, byc.png.exe, 00000004.00000002.6030210955.0000000005EE0000.00000004.sdmp, Javas.exe, 00000009.00000002.5123465474.0000000005870000.00000040.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmp, Javas.exe, 0000000B.00000002.5206635790.0000000004AE0000.00000040.sdmp, Javas.exe, 0000000C.00000002.5273347525.0000000000402000.00000040.sdmp
Source: Binary string: mscorrc.pdb source: byc.png.exe, 00000004.00000002.6029979277.0000000005E80000.00000002.sdmp, Javas.exe, 0000000A.00000002.6044569371.0000000005B00000.00000002.sdmp

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.99096603359
Source: initial sampleStatic PE information: section name: .text entropy: 7.99096603359

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\byc.png.exeFile created: C:\Users\user\AppData\Roaming\Javas\Javas.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\byc.png.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JavasJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JavasJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\byc.png.exeFile opened: C:\Users\user\AppData\Roaming\Javas\Javas.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile opened: C:\Users\user\AppData\Roaming\Javas\Javas.exe:Zone.Identifier read attributes | deleteJump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: png.exeStatic PE information: byc.png.exe
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\byc.png.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\byc.png.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\byc.png.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\byc.png.exeThread delayed: delay time: 1500000Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\byc.png.exe TID: 4888Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\byc.png.exe TID: 4980Thread sleep count: 98 > 30Jump to behavior
Source: C:\Users\user\Desktop\byc.png.exe TID: 4980Thread sleep time: -98000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\byc.png.exe TID: 5056Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\byc.png.exe TID: 5056Thread sleep time: -3000000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\byc.png.exe TID: 4936Thread sleep count: 48 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exe TID: 3924Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exe TID: 4260Thread sleep count: 89 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exe TID: 4260Thread sleep time: -89000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exe TID: 4208Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exe TID: 4584Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\byc.png.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\byc.png.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: byc.png.exe, 00000004.00000002.6028263025.0000000005750000.00000002.sdmp, Javas.exe, 0000000A.00000002.6042820067.00000000053D0000.00000002.sdmp, Javas.exe, 0000000C.00000002.5281618590.0000000005680000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: byc.png.exe, 00000004.00000002.6028263025.0000000005750000.00000002.sdmp, Javas.exe, 0000000A.00000002.6042820067.00000000053D0000.00000002.sdmp, Javas.exe, 0000000C.00000002.5281618590.0000000005680000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: byc.png.exe, 00000004.00000002.6028263025.0000000005750000.00000002.sdmp, Javas.exe, 0000000A.00000002.6042820067.00000000053D0000.00000002.sdmp, Javas.exe, 0000000C.00000002.5281618590.0000000005680000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Javas.exe, 0000000A.00000002.6036946182.0000000000B38000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: byc.png.exe, 00000004.00000002.6028263025.0000000005750000.00000002.sdmp, Javas.exe, 0000000A.00000002.6042820067.00000000053D0000.00000002.sdmp, Javas.exe, 0000000C.00000002.5281618590.0000000005680000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\byc.png.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\byc.png.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\byc.png.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess queried: DebugPortJump to behavior
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\byc.png.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\byc.png.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\byc.png.exeMemory written: C:\Users\user\Desktop\byc.png.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeMemory written: C:\Users\user\AppData\Roaming\Javas\Javas.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeMemory written: C:\Users\user\AppData\Roaming\Javas\Javas.exe base: 400000 value starts with: 4D5AJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\byc.png.exeProcess created: C:\Users\user\Desktop\byc.png.exe C:\Users\user\Desktop\byc.png.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe C:\Users\user\AppData\Roaming\Javas\Javas.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeProcess created: C:\Users\user\AppData\Roaming\Javas\Javas.exe C:\Users\user\AppData\Roaming\Javas\Javas.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: byc.png.exe, 00000004.00000002.6022804943.0000000001610000.00000002.sdmp, Javas.exe, 0000000A.00000002.6038349112.0000000001300000.00000002.sdmpBinary or memory string: Program Managere
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmp, Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpBinary or memory string: Program Manager
Source: byc.png.exe, 00000004.00000002.6022804943.0000000001610000.00000002.sdmp, Javas.exe, 0000000A.00000002.6038349112.0000000001300000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: byc.png.exe, 00000004.00000002.6022804943.0000000001610000.00000002.sdmp, Javas.exe, 0000000A.00000002.6038349112.0000000001300000.00000002.sdmpBinary or memory string: Progman
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:24)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{Win}</font>X
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Program ManagerP
Source: Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:51:08)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:51:08)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:51:51)</span></span><br><font color=#008000>{ESC}</font>X
Source: Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:51:08)</span></span><br><font color=#008000>{ESC}</font>X
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:46)</span></span><br>
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:46)</span></span><br><font color=#008000>{ESC}</font>X
Source: byc.png.exe, 00000004.00000002.6022804943.0000000001610000.00000002.sdmp, Javas.exe, 0000000A.00000002.6038349112.0000000001300000.00000002.sdmpBinary or memory string: Progmanlock
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:51:51)</span></span><br>
Source: Javas.exe, 0000000A.00000002.6040516956.0000000002BC0000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:51:08)</span></span><br>
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:24)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{Win}</font>r<br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;><b>[ Microsoft
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:46)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font><br><span style=font-size:14px;font-style:normal;text-decoration:none;text-transform:none;color:#0099cc;><b>[ Microsoft
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:24)</span></span><br>
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:24)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{Win}</font>rX
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:24)</span></span><br><font color=#008000>{ESC}</font>X
Source: byc.png.exe, 00000004.00000002.6025301992.0000000002F30000.00000004.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(02/11/2019 17:50:46)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{ESC}</font>X

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\byc.png.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\byc.png.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\byc.png.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\byc.png.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\byc.png.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\Desktop\byc.png.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javas\Javas.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 109775 Sample: byc.png.exe Startdate: 11/02/2019 Architecture: WINDOWS Score: 96 41 Multi AV Scanner detection for submitted file 2->41 43 Uses an obfuscated file name to hide its real file extension (double extension) 2->43 45 May check the online IP address of the machine 2->45 6 Javas.exe 5 2->6         started        9 byc.png.exe 5 2->9         started        12 Javas.exe 4 2->12         started        process3 file4 47 Multi AV Scanner detection for dropped file 6->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->49 51 Injects a PE file into a foreign processes 6->51 14 Javas.exe 14 16 6->14         started        27 C:\Users\user\AppData\...\byc.png.exe.log, ASCII 9->27 dropped 18 byc.png.exe 17 19 9->18         started        21 Javas.exe 4 12->21         started        signatures5 process6 dnsIp7 29 52.202.139.131, 49788, 80 AMAZON-AES-AmazoncomIncUS United States 14->29 31 checkip.check-ip.aws.a2z.com 14->31 33 checkip.amazonaws.com 14->33 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->53 55 Tries to steal Mail credentials (via file access) 14->55 57 Tries to harvest and steal ftp login credentials 14->57 59 Tries to harvest and steal browser information (history, passwords, etc) 14->59 35 checkip.us-east-1.prod.check-ip.aws.a2z.com 34.196.82.108, 49787, 80 AMAZON-AES-AmazoncomIncUS United States 18->35 37 checkip.check-ip.aws.a2z.com 18->37 39 checkip.amazonaws.com 18->39 23 C:\Users\user\AppData\Roaming\...\Javas.exe, PE32 18->23 dropped 25 C:\Users\user\...\Javas.exe:Zone.Identifier, ASCII 18->25 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 63 Installs a global keyboard hook 18->63 file8 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
17:50:20API Interceptor2x Sleep call for process: byc.png.exe modified
17:50:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Javas C:\Users\user\AppData\Roaming\Javas\Javas.exe
17:50:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Javas C:\Users\user\AppData\Roaming\Javas\Javas.exe

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
byc.png.exe25%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Javas\Javas.exe25%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
12.2.Javas.exe.400000.0.unpack100%AviraHEUR/AGEN.1019136Download File
10.2.Javas.exe.400000.0.unpack100%AviraHEUR/AGEN.1019136Download File
4.2.byc.png.exe.400000.0.unpack100%AviraHEUR/AGEN.1019136Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLinkDownload
http://checkip.amazonaws.comx&0%Avira URL CloudsafeDownload File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
34.196.82.10828Business-proposal-enquiry-sheet-listed-items-201901280946.exeGet hashmaliciousBrowse
  • checkip.amazonaws.com/
52.202.139.131Payroll.xlsGet hashmaliciousBrowse
  • checkip.amazonaws.com/
18Scan_pda_007765_pdf.exeGet hashmaliciousBrowse
  • checkip.amazonaws.com/
28Business-proposal-enquiry-sheet-listed-items-201901280946.exeGet hashmaliciousBrowse
  • checkip.amazonaws.com/
37Purchase Order 2-2019-600set.exeGet hashmaliciousBrowse
  • checkip.amazonaws.com/
49SOA_JAN_2019_pdf.exeGet hashmaliciousBrowse
  • checkip.amazonaws.com/

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
checkip.us-east-1.prod.check-ip.aws.a2z.comPayroll.xlsGet hashmaliciousBrowse
  • 52.202.139.131
18Scan_pda_007765_pdf.exeGet hashmaliciousBrowse
  • 52.200.125.74
Purchase_Info_410.docGet hashmaliciousBrowse
  • 52.1.46.34
ReceiptUK_163850.docGet hashmaliciousBrowse
  • 34.192.84.239
mttvca.exeGet hashmaliciousBrowse
  • 107.23.175.217
PaymentAdvice.xlsGet hashmaliciousBrowse
  • 107.23.175.217
17crpptedkkhali.exeGet hashmaliciousBrowse
  • 52.204.60.216
37SWIFT COPY.exeGet hashmaliciousBrowse
  • 52.200.125.74
ShipmentInfoUSPS_18557704.docGet hashmaliciousBrowse
  • 107.23.175.217
oki.exeGet hashmaliciousBrowse
  • 34.192.84.239
Receipt_Info-123340422.docGet hashmaliciousBrowse
  • 52.204.60.216
Your_Order_Info_901029.xlsGet hashmaliciousBrowse
  • 52.200.125.74
djooo - Copie.docGet hashmaliciousBrowse
  • 52.200.125.74
28Business-proposal-enquiry-sheet-listed-items-201901280946.exeGet hashmaliciousBrowse
  • 52.202.139.131
37Purchase Order 2-2019-600set.exeGet hashmaliciousBrowse
  • 52.202.139.131
Payroll.xlsGet hashmaliciousBrowse
  • 34.233.102.38
Invoice3989021.xlsGet hashmaliciousBrowse
  • 34.192.84.239
Receipt_CAD_181210.docGet hashmaliciousBrowse
  • 34.233.102.38
Bestellinfo_17721322.docGet hashmaliciousBrowse
  • 52.204.60.216
Your_Order_Info_901029.xlsGet hashmaliciousBrowse
  • 52.200.143.163

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
AMAZON-AES-AmazoncomIncUSMalhaFinaApp.exeGet hashmaliciousBrowse
  • 184.73.220.206
e1e89c87-9f66-11e7-8388-80e65024849.exeGet hashmaliciousBrowse
  • 174.129.241.106
aO87Si5UJU.apkGet hashmaliciousBrowse
  • 52.21.7.72
wccftech.comGet hashmaliciousBrowse
  • 34.231.57.80
keyserimpactseries.comGet hashmaliciousBrowse
  • 52.55.91.96
invoice_695758.docGet hashmaliciousBrowse
  • 23.23.170.235
notice_hancitor.docGet hashmaliciousBrowse
  • 184.73.220.206
receipt_722712.docGet hashmaliciousBrowse
  • 23.23.170.235
SecureDocuments.docGet hashmaliciousBrowse
  • 23.21.205.156
http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_Get hashmaliciousBrowse
  • 34.196.100.183
28F2rC1LTQPp.exeGet hashmaliciousBrowse
  • 52.203.45.73
tracking_info_125533.docGet hashmaliciousBrowse
  • 174.129.241.106
fax_273194.docGet hashmaliciousBrowse
  • 174.129.241.106
60DocsScanIMG658999009889.exeGet hashmaliciousBrowse
  • 52.7.10.163
BinderFile.exeGet hashmaliciousBrowse
  • 23.23.170.235
NALC-salaries.xlsGet hashmaliciousBrowse
  • 52.1.52.89
NALC-salaries.xlsGet hashmaliciousBrowse
  • 52.1.52.89
NALC-salaries.xlsGet hashmaliciousBrowse
  • 52.1.52.89
YXOpwUgugb.exeGet hashmaliciousBrowse
  • 34.198.182.201
http://l-ardagnole.com/dshgc67384Get hashmaliciousBrowse
  • 107.20.169.151
AMAZON-AES-AmazoncomIncUSMalhaFinaApp.exeGet hashmaliciousBrowse
  • 184.73.220.206
e1e89c87-9f66-11e7-8388-80e65024849.exeGet hashmaliciousBrowse
  • 174.129.241.106
aO87Si5UJU.apkGet hashmaliciousBrowse
  • 52.21.7.72
wccftech.comGet hashmaliciousBrowse
  • 34.231.57.80
keyserimpactseries.comGet hashmaliciousBrowse
  • 52.55.91.96
invoice_695758.docGet hashmaliciousBrowse
  • 23.23.170.235
notice_hancitor.docGet hashmaliciousBrowse
  • 184.73.220.206
receipt_722712.docGet hashmaliciousBrowse
  • 23.23.170.235
SecureDocuments.docGet hashmaliciousBrowse
  • 23.21.205.156
http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_Get hashmaliciousBrowse
  • 34.196.100.183
28F2rC1LTQPp.exeGet hashmaliciousBrowse
  • 52.203.45.73
tracking_info_125533.docGet hashmaliciousBrowse
  • 174.129.241.106
fax_273194.docGet hashmaliciousBrowse
  • 174.129.241.106
60DocsScanIMG658999009889.exeGet hashmaliciousBrowse
  • 52.7.10.163
BinderFile.exeGet hashmaliciousBrowse
  • 23.23.170.235
NALC-salaries.xlsGet hashmaliciousBrowse
  • 52.1.52.89
NALC-salaries.xlsGet hashmaliciousBrowse
  • 52.1.52.89
NALC-salaries.xlsGet hashmaliciousBrowse
  • 52.1.52.89
YXOpwUgugb.exeGet hashmaliciousBrowse
  • 34.198.182.201
http://l-ardagnole.com/dshgc67384Get hashmaliciousBrowse
  • 107.20.169.151

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.