Windows Analysis Report
mail.txt .exe

Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_00507730	0_2_00507730
Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_005011C9	0_2_005011C9
Source: C:\Windows\java.exe	Code function: 3_2_00507730	3_2_00507730

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
Source: Joe Sandbox View	Dropped File: C:\Windows\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C

Source: C:\Users\user\Desktop\mail.txt .exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 1264

Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: mail.txt .exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: mail.txt .exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tmp4F4F.tmp.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.expl.evad.winEXE@8/13@0/9

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6968
Source: C:\Windows\java.exe	Mutant created: \Sessions\1\BaseNamedObjects\849224root849224root8849224root849224root88

Source: C:\Users\user\Desktop\mail.txt .exe

File created: C:\Users\user\AppData\Local\Temp\zincite.log

Source: C:\Users\user\Desktop\mail.txt .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: mail.txt .exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\mail.txt .exe

File read: C:\Users\user\Desktop\mail.txt .exe

Source: unknown	Process created: C:\Users\user\Desktop\mail.txt .exe C:\Users\user\Desktop\mail.txt .exe
Source: C:\Users\user\Desktop\mail.txt .exe	Process created: C:\Windows\services.exe C:\Windows\services.exe
Source: unknown	Process created: C:\Windows\java.exe "C:\Windows\java.exe"
Source: C:\Windows\java.exe	Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe
Source: unknown	Process created: C:\Windows\services.exe "C:\Windows\services.exe"
Source: C:\Users\user\Desktop\mail.txt .exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 1264
Source: C:\Users\user\Desktop\mail.txt .exe	Process created: C:\Windows\services.exe C:\Windows\services.exe	Jump to behavior
Source: C:\Windows\java.exe	Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe	Jump to behavior

Source: C:\Users\user\Desktop\mail.txt .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Drops PE files with benign system names

Source: C:\Users\user\Desktop\mail.txt .exe

Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,

0_2_00503620

Source: services.exe.0.dr	Static PE information: section name: UPX2
Source: services.exe.3.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_0050A42D push ds; ret	0_2_0050A42E
Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_0050DEA6 push ds; ret	0_2_0050DEBE
Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_0050A501 push ecx; retf	0_2_0050A53F
Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_0050A50F push ecx; retf	0_2_0050A53F
Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_00509BA2 push edx; retf	0_2_00509BAB
Source: C:\Windows\services.exe	Code function: 1_2_00405A55 push es; iretd	1_2_00405A8E
Source: C:\Windows\java.exe	Code function: 3_2_0050A42D push ds; ret	3_2_0050A42E
Source: C:\Windows\java.exe	Code function: 3_2_0050DEA6 push ds; ret	3_2_0050DEBE
Source: C:\Windows\java.exe	Code function: 3_2_0050A501 push ecx; retf	3_2_0050A53F
Source: C:\Windows\java.exe	Code function: 3_2_0050A50F push ecx; retf	3_2_0050A53F
Source: C:\Windows\java.exe	Code function: 3_2_00509BA2 push edx; retf	3_2_00509BAB

Source: mail.txt .exe	Static PE information: section name: .text entropy: 6.805048281534057
Source: java.exe.0.dr	Static PE information: section name: .text entropy: 6.805048281534057
Source: tmp4F4F.tmp.3.dr	Static PE information: section name: .text entropy: 6.805048281534057

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\mail.txt .exe	File created: C:\Windows\services.exe			Jump to dropped file
Source: C:\Windows\java.exe	File created: C:\Users\user\AppData\Local\Temp\services.exe			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\mail.txt .exe	Executable created and started: C:\Windows\services.exe			Jump to behavior
Source: unknown	Executable created and started: C:\Windows\java.exe

Exploit detected, runtime environment dropped PE file

Source: C:\Windows\java.exe

File created: tmp4F4F.tmp.3.dr

Jump to dropped file

Source: C:\Users\user\Desktop\mail.txt .exe	File created: \mail.txt .exe
Source: C:\Users\user\Desktop\mail.txt .exe	File created: \mail.txt .exe
Source: C:\Users\user\Desktop\mail.txt .exe	File created: \mail.txt .exe	Jump to behavior

Source: C:\Users\user\Desktop\mail.txt .exe	File created: C:\Windows\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\mail.txt .exe	File created: C:\Windows\services.exe	Jump to dropped file
Source: C:\Windows\java.exe	File created: C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp	Jump to dropped file
Source: C:\Windows\java.exe	File created: C:\Users\user\AppData\Local\Temp\services.exe	Jump to dropped file

Source: C:\Users\user\Desktop\mail.txt .exe	File created: C:\Windows\java.exe			Jump to dropped file
Source: C:\Users\user\Desktop\mail.txt .exe	File created: C:\Windows\services.exe			Jump to dropped file

Source: C:\Users\user\Desktop\mail.txt .exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM	Jump to behavior
Source: C:\Windows\services.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services	Jump to behavior
Source: C:\Windows\services.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (a lot of spaces)

Source: Detected 51 consecutive spaces in filename

Static PE information: mail.txt .exe

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: txt.exe

Static PE information: mail.txt .exe

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\mail.txt .exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-3007
Source: C:\Users\user\Desktop\mail.txt .exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-3007

Source: C:\Windows\services.exe	Window / User API: threadDelayed 2878	Jump to behavior
Source: C:\Windows\java.exe	Window / User API: threadDelayed 356	Jump to behavior
Source: C:\Windows\java.exe	Window / User API: threadDelayed 8716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Window / User API: threadDelayed 7251	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Window / User API: threadDelayed 2747	Jump to behavior
Source: C:\Windows\services.exe	Window / User API: threadDelayed 9895	Jump to behavior

Source: C:\Windows\java.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_3-2834
Source: C:\Windows\services.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_1-1016

Source: C:\Windows\java.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092	Thread sleep time: -84000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092	Thread sleep count: 297 > 30	Jump to behavior
Source: C:\Windows\services.exe TID: 7156	Thread sleep count: 2878 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 2468	Thread sleep count: 356 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 2468	Thread sleep time: -284800s >= -30000s	Jump to behavior
Source: C:\Windows\java.exe TID: 4124	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 4124	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 4124	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 2468	Thread sleep count: 8716 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 2468	Thread sleep time: -6972800s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460	Thread sleep count: 7251 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460	Thread sleep time: -1812750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460	Thread sleep count: 2747 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460	Thread sleep time: -686750s >= -30000s	Jump to behavior
Source: C:\Windows\services.exe TID: 6048	Thread sleep count: 9895 > 30	Jump to behavior
Source: C:\Windows\services.exe TID: 6048	Thread sleep time: -2473750s >= -30000s	Jump to behavior
Source: C:\Windows\services.exe TID: 6048	Thread sleep count: 103 > 30	Jump to behavior

Source: C:\Users\user\Desktop\mail.txt .exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h		0_2_00505717
Source: C:\Windows\java.exe	Code function: 3_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h		3_2_00505717

Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,		0_2_005052AD
Source: C:\Windows\java.exe	Code function: 3_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,		3_2_005052AD

Source: C:\Users\user\Desktop\mail.txt .exe

Thread delayed: delay time: 84000

Source: C:\Users\user\Desktop\mail.txt .exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mail.txt .exe, 00000000.00000003.2426549427.0000000000821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: mail.txt .exe, 00000000.00000002.2729293430.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.4466533402.000000000082E000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000004.00000002.4466269343.0000000000812000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000005.00000002.4466259388.0000000000800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: services.exe, 00000001.00000002.4466417572.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: mail.txt .exe, 00000000.00000003.2426549427.0000000000821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\mail.txt .exe	API call chain: ExitProcess graph end node			graph_0-2984
Source: C:\Windows\services.exe	API call chain: ExitProcess graph end node			graph_1-1005

Source: C:\Users\user\Desktop\mail.txt .exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\mail.txt .exe

Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,

0_2_00503620

Source: C:\Users\user\Desktop\mail.txt .exe

Code function: 0_2_00504E00 GetProcessHeap,RtlAllocateHeap,CreateFileA,ReadFile,ReadFile,FindCloseChangeNotification,GetProcessHeap,RtlFreeHeap,

0_2_00504E00

Source: C:\Users\user\Desktop\mail.txt .exe	Process created: C:\Windows\services.exe C:\Windows\services.exe			Jump to behavior
Source: C:\Windows\java.exe	Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe			Jump to behavior

Source: C:\Users\user\Desktop\mail.txt .exe

Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,

0_2_005032CB

Source: C:\Users\user\Desktop\mail.txt .exe

Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,

0_2_005032CB

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\mail.txt .exe	Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,		0_2_0050311C
Source: C:\Windows\java.exe	Code function: 3_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress,		3_2_0050311C

Source: C:\Windows\services.exe

Code function: 1_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,

1_2_00401F0E

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	42 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	221 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
mail.txt .exe	74%	ReversingLabs	Win32.Trojan.FlyAgent
mail.txt .exe	100%	Avira	TR/Spy.Banker.Gen
mail.txt .exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\services.exe	100%	Avira	BDS/Backdoor.fszhy
C:\Windows\java.exe	100%	Avira	TR/Spy.Banker.Gen
C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp	100%	Avira	TR/Spy.Banker.Gen
C:\Windows\services.exe	100%	Avira	BDS/Backdoor.fszhy
C:\Users\user\AppData\Local\Temp\services.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmpF606.tmp	100%	Joe Sandbox ML
C:\Windows\java.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp	100%	Joe Sandbox ML
C:\Windows\services.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\services.exe	100%	ReversingLabs	Win32.Worm.Mydoom
C:\Windows\java.exe	74%	ReversingLabs	Win32.Trojan.FlyAgent
C:\Windows\services.exe	100%	ReversingLabs	Win32.Worm.Mydoom

Source	Detection	Scanner	Label	Link
http://www.altavista.com/web/results?q=%s&kgs=0&kls=0	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.altavista.com/web/results?q=%s&kgs=0&kls=0	mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.10.dr	false		high
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s	mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp	false		high
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s	mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp	false		high
http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=	mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp	false		high
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c	mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.13
172.16.1.166
10.0.2.15
192.168.2.12
172.16.1.4
172.16.1.2
192.168.2.18
192.168.2.9
172.16.1.170

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1410988
Start date and time:	2024-03-18 14:35:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mail.txt .exe
Detection:	MAL
Classification:	mal100.spre.expl.evad.winEXE@8/13@0/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 68 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 17.179.253.242
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, apple.com, ocsp.digicert.com, mx-in-rno.apple.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: mail.txt .exe

Simulations

Behavior and APIs

Time	Type	Description
14:36:43	API Interceptor	98x Sleep call for process: mail.txt .exe modified
14:36:45	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM C:\Windows\java.exe
14:36:53	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services C:\Windows\services.exe
14:37:27	API Interceptor	2499325x Sleep call for process: java.exe modified
14:37:28	API Interceptor	2206926x Sleep call for process: services.exe modified
14:37:56	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\services.exe	instruction.scr.exe	Get hash	malicious	MyDoom	Browse
	.scr.exe	Get hash	malicious	MyDoom	Browse
	message.com.exe	Get hash	malicious	MyDoom	Browse
	letter.com.exe	Get hash	malicious	MyDoom	Browse
	yBvb5QQho4.exe	Get hash	malicious	MyDoom	Browse
	fsjRK2SX4t.exe	Get hash	malicious	MyDoom	Browse
	SecuriteInfo.com.Win32.HLLM.MyDoom.54464.3216.exe	Get hash	malicious	MyDoom	Browse
	.exe	Get hash	malicious	MyDoom	Browse
	Cg7HLh2mus.exe	Get hash	malicious	MyDoom	Browse
	AHnFoINkgu.exe	Get hash	malicious	MyDoom	Browse
C:\Windows\services.exe	instruction.scr.exe	Get hash	malicious	MyDoom	Browse
	.scr.exe	Get hash	malicious	MyDoom	Browse
	message.com.exe	Get hash	malicious	MyDoom	Browse
	letter.com.exe	Get hash	malicious	MyDoom	Browse
	yBvb5QQho4.exe	Get hash	malicious	MyDoom	Browse
	fsjRK2SX4t.exe	Get hash	malicious	MyDoom	Browse
	SecuriteInfo.com.Win32.HLLM.MyDoom.54464.3216.exe	Get hash	malicious	MyDoom	Browse
	.exe	Get hash	malicious	MyDoom	Browse
	Cg7HLh2mus.exe	Get hash	malicious	MyDoom	Browse
	AHnFoINkgu.exe	Get hash	malicious	MyDoom	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mail.txt _8b9367d6704e4841c5403f7df2dcefd440516db1_2c74e5d9_8b910105-d770-4563-ad1e-ad81b521a1fa\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9070386662593016
Encrypted:	false
SSDEEP:	96:qRFf46JNs6hM1yDfwQXIDcQvc6QcEVcw3cE/n+HbHg/opAnQzOqg7TlOy4aEuFq9:6nJN/0BU/gjd6zuiFhZ24IO8b
MD5:	FE57820F4A67A6B1C62C0A09DB8CDADC
SHA1:	A960E1564CE19B7D1734D375414E066B4067DEB6
SHA-256:	698AC759C7FAB327BE060C7E3D874B3CC49E524409AB3D38F5AEBF4E4977379D
SHA-512:	25F1B668991E2DE827CB9ADDEE34919FD03C70BD5736AD0890285141A666308CDDCB3E39B60CEF00D52DD7CD57C6C989630D33EE378196B3277F6D3747FB9211
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.5.2.4.2.6.6.6.5.1.6.3.4.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.5.2.4.2.6.6.7.1.5.6.9.6.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.9.1.0.1.0.5.-.d.7.7.0.-.4.5.6.3.-.a.d.1.e.-.a.d.8.1.b.5.2.1.a.1.f.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.8.2.9.e.b.c.-.7.6.4.9.-.4.d.c.8.-.b.a.a.0.-.2.5.9.4.7.c.4.f.8.e.9.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.a.i.l...t.x.t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.8.-.0.0.0.1.-.0.0.1.4.-.2.4.2.c.-.c.5.5.0.3.9.7.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.5.d.f.2.2.8.a.6.3.7.c.7.e.7.f.e.6.9.5.5.d.a.2.c.0.0.7.9.b.8.c.0.0.0.0.f.f.f.f.!.0.0.0.0.a.f.4.9.d.2.9.3.5.b.7.5.6.2.7.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAFC.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 18 13:37:46 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	88062
Entropy (8bit):	2.056578687053357
Encrypted:	false
SSDEEP:	384:5qJ4KX4dQNBkVj8HTo9nXKC6Rjo+ulX0Gshgf+Td:Ymc4de6jWTaaCWx1GUQa
MD5:	5A5B19A32404D6B67A0099BB719D78E9
SHA1:	88257CE082CE676F74CAD64F691675CA97A30D12
SHA-256:	F6D1F70AA824F00AD7C37CFBE7D697FFAB9902824C81B3334D7725DFA6A04384
SHA-512:	E1810AEADB6A106FF9D52D097EE3F70128E392DC776061C15A1B1F0656D7F74F0BD454C43D626DD791C8E8426DC140DE7953CE1DC829B9704D1399FB6D949683
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........C.e....................................$....8..........T.......8...........T...............^)..........,...........................................................................................eJ..............GenuineIntel............T.......8...kC.e.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC07.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	3.7000663699490346
Encrypted:	false
SSDEEP:	192:R6l7wVeJf9626YEIISUtCKgmfPJjJprR89boysfzYm:R6lXJV626YEnSUtPgmfPJjKoxfJ
MD5:	C336F672678DC23976FF9A2EFF429653
SHA1:	E4B9CFB43E114EC2F7B2E5272270C7CE71A08D3D
SHA-256:	0C0A90619485D610DECE6B94A3676B86743C56DC99D0F0EA984463CB4BB79455
SHA-512:	8ADF9ACEBBE65949CFC55090B0E21A0EDEE85167E8C1C74C0D2472C8640D20BE2C52E3247BC45A3DBD7FD30283C2B127E0A9775060EB9083CC6800606250B188
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC56.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4835
Entropy (8bit):	4.2800978435649695
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI9ykAWpW8VY7Ym8M4Jo0d8FSS+q8VgucVuzLz3mzdd:uIjfZI7J57VDJWMcQb3wdd
MD5:	0E41B37DAD4E9F816340FB8C47455059
SHA1:	91B6922E0D5BE6068EAB0FE64C0C7B74C63F256E
SHA-256:	1AA575563428FDDCCDA389557232A4C50807F96C869808C192E46070AD8D6A1F
SHA-512:	D150DE1242D29447C59129FDF08469FCBDE192B87134CF82990BCFE9AD439EEFAD3A0780CA6A237B22D43992259A2AE1D560D3209A4C81B97A9EAAB69B0851F7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="240760" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\services.exe

Process:	C:\Windows\java.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.951274251785221
Encrypted:	false
SSDEEP:	192:tZWNqWKIzebvOZnzCj6juhEJS3/Uf/tpfmG62X9f3:tZ6qWTYvczfahX/UHtF6e9f3
MD5:	B0FE74719B1B647E2056641931907F4A
SHA1:	E858C206D2D1542A79936CB00D85DA853BFC95E2
SHA-256:	BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
SHA-512:	9C82E88264696D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E27745039F98B1FD1FEBFF620A5DED6DD493227F00D7D2E74B19757685AA8655F921C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: instruction.scr.exe, Detection: malicious, Browse Filename: .scr.exe, Detection: malicious, Browse Filename: message.com.exe, Detection: malicious, Browse Filename: letter.com.exe, Detection: malicious, Browse Filename: yBvb5QQho4.exe, Detection: malicious, Browse Filename: fsjRK2SX4t.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.HLLM.MyDoom.54464.3216.exe, Detection: malicious, Browse Filename: .exe, Detection: malicious, Browse Filename: Cg7HLh2mus.exe, Detection: malicious, Browse Filename: AHnFoINkgu.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................PE..L........................ .......@..pg...P...p....@..........................................................................p......................................................................................................................UPX0.....@..............................UPX1..... ...P......................@...UPX2.........p......................@..............................................................................................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp

Process:	C:\Windows\java.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	42966
Entropy (8bit):	5.920388487357334
Encrypted:	false
SSDEEP:	768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
MD5:	95640F1C78DDCBF8BB59462508624200
SHA1:	D55EB8893FA888EC787DA8E9A7E31ED8842701C4
SHA-256:	F422B1C4A887A35ED65DE77B05BC886529740D1D1860A55D6CD6593C07188CAB
SHA-512:	F563148B1CFDB2EC8F3B7BF386580000FFFD06CCB115898D7150847F0F123E9311122F015071D62B14A449DF56D52FEB3FE8AB5E231391154787AF15FA132F87
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L........................b..........$.............P.............................................................................0...................................................................................................................UPX0....................................UPX1.....`.......`..................@....rsrc................d..............@....text................r.............. ..............................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp:Zone.Identifier

Process:	C:\Windows\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\tmpF606.tmp

Process:	C:\Windows\java.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	modified
Size (bytes):	43312
Entropy (8bit):	5.928781182600825
Encrypted:	false
SSDEEP:	768:6EwHupU99d2JE0jNJJ83+8zzqgTdVY9/8:6EwVs+0jNDY1qi/qk
MD5:	54147806DA1F490FE95D19B6F22C3DCD
SHA1:	308082EF41190E3F8B86BB79A2FA9C6B3D34516D
SHA-256:	7FD11ACF8E708515FF23122494B4A93C185AC68916D7D0C783685017D7BA8130
SHA-512:	4235DF32ABDD57938FEEDF44996B665F693441AC3D042D5DB9A87C23DFEEBCDFF4E67C65B609B61A9DC49C61EE7D557AF827E0582570233ECE306471216068C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK...........0.[........\|...apple.com.htm .exeMZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L........................b..........$.............P.............................................................................0...................................................................................................................UPX0....................................UPX1.....`.......`..................@....rsrc................d..............@....text................r.............. .................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zincite.log

Process:	C:\Users\user\Desktop\mail.txt .exe
File Type:	data
Category:	dropped
Size (bytes):	128
Entropy (8bit):	5.72714157928447
Encrypted:	false
SSDEEP:	3:/0lwNjv9b7JmZNqZrP6qRE+y0GK2vuIt/FIXVQ1:/0CNL9bczqhEasvuIt/aFg
MD5:	22A7E53967B0F029542E990EA3E11197
SHA1:	9E26F6253559198700DD5F323C617112FF6E07C5
SHA-256:	0B49880FC4C2FE67B1277D3565AD7EA7B05597A05C61B388742E9FB3C3FE8700
SHA-512:	CE6F067AD30AF554F3BFCEAEB00E8EE2479E1591188C9E95B381B8CBD958E8AF48F224626132A851C31F1381C4639C0B9F8E5EFD94747C0AA92F57908B2A30CE
Malicious:	false
Preview:	..`....\...P.NN.@;7.@.r...0..(..y...*8..F....W..F...F...F...F...0..j.Wa..Wa..Wa..Wa..W..c.b3.Wa...Pb....8.................p.P

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4219129705118165
Encrypted:	false
SSDEEP:	6144:DSvfpi6ceLP/9skLmb0OT/WSPHaJG8nAgeMZMMhA2fX4WABlEnNH0uhiTw:OvloT/W+EZMM6DFyh03w
MD5:	4E49B7D9962411B4E0AD80D0C7C6D1E6
SHA1:	E1DCFF1D608745B7CDC4C46FB968A763B157B681
SHA-256:	E9132810A998EF24E49ED2E0A536FCB928448FD3714BC79C2533B70D0FBD749C
SHA-512:	1954028860C18633D6295EE42E7FE6D35766B16BBCB61F9344E7BA91947A0F777031CADE64254FADEC1F520E01EB9DA1A8972893613A0DE2EE46F27574078CD3
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~I7v9y................................................................................................................................................................................................................................................................................................................................................!B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\java.exe

Process:	C:\Users\user\Desktop\mail.txt .exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	42966
Entropy (8bit):	5.921070575391315
Encrypted:	false
SSDEEP:	768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
MD5:	EDF4FF0BC5DA6DABD5E7B78113D73BD8
SHA1:	AF49D2935B75627F6F748256F10C555D54040F2E
SHA-256:	E16D377C12B63ACB694601B4BDE36D61839054409E7FAE1661FB051892D2ED36
SHA-512:	68D5D0A81964EDA0B156EF4E82D26CA479D32B4A19DFBEC44B4058A6322E8C1F62DFF1EA4F7E61812470790A2029B285C365BF6DA69D31E99788FDD24E17E2F6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L........................b..........$.............P.............................................................................0...................................................................................................................UPX0....................................UPX1.....`.......`..................@....rsrc................d..............@....text................r.............. ..............................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

C:\Windows\java.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\mail.txt .exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\services.exe

Process:	C:\Users\user\Desktop\mail.txt .exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.951274251785221
Encrypted:	false
SSDEEP:	192:tZWNqWKIzebvOZnzCj6juhEJS3/Uf/tpfmG62X9f3:tZ6qWTYvczfahX/UHtF6e9f3
MD5:	B0FE74719B1B647E2056641931907F4A
SHA1:	E858C206D2D1542A79936CB00D85DA853BFC95E2
SHA-256:	BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
SHA-512:	9C82E88264696D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E27745039F98B1FD1FEBFF620A5DED6DD493227F00D7D2E74B19757685AA8655F921C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: instruction.scr.exe, Detection: malicious, Browse Filename: .scr.exe, Detection: malicious, Browse Filename: message.com.exe, Detection: malicious, Browse Filename: letter.com.exe, Detection: malicious, Browse Filename: yBvb5QQho4.exe, Detection: malicious, Browse Filename: fsjRK2SX4t.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.HLLM.MyDoom.54464.3216.exe, Detection: malicious, Browse Filename: .exe, Detection: malicious, Browse Filename: Cg7HLh2mus.exe, Detection: malicious, Browse Filename: AHnFoINkgu.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................PE..L........................ .......@..pg...P...p....@..........................................................................p......................................................................................................................UPX0.....@..............................UPX1..... ...P......................@...UPX2.........p......................@..............................................................................................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	5.921070575391315
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	mail.txt .exe
File size:	42'966 bytes
MD5:	edf4ff0bc5da6dabd5e7b78113d73bd8
SHA1:	af49d2935b75627f6f748256f10c555d54040f2e
SHA256:	e16d377c12b63acb694601b4bde36d61839054409e7fae1661fb051892d2ed36
SHA512:	68d5d0a81964eda0b156ef4e82d26ca479d32b4a19dfbec44b4058a6322e8c1f62dff1ea4f7e61812470790a2029b285c365bf6da69d31e99788fdd24e17e2f6
SSDEEP:	768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
TLSH:	D213D0983E4FB942D2850C382A03EEBABD52FD444D09268BB5B47B4BBCB1F96455CC46
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L........................b.........

File Icon


Icon Hash:	9361c4a092b08082

Static PE Info

General

Entrypoint:	0x510024
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x500000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	98cd465c2ab2841f9fd90d5e847563f4

Entrypoint Preview

Instruction
stc
jc 00007F64F48D6BD9h
pop ds
xor esi, dword ptr [ecx-49h]
cwde
leave
jmp 00007F64F48D6C32h
jmp 00007F64F48D6BD5h
cmp dl, byte ptr [ebp+0006E8D2h]
add byte ptr [eax], al
dec ecx
stc
mov dl, EDh
pop ecx
pop ebx
jc 00007F64F48D6BD9h
jne 00007F64F48D6B67h
jnl 00007F64F48D6BB5h
sbb dword ptr [edx-383C7EDCh], FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf514	0x130	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x514	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x101f7	0x8	.text
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x9000	0x6000	0x6000	95e7e2aea06fcf90374e473c416d1137	False	0.9812825520833334	data	7.938048293950375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf000	0x1000	0x800	60d328df3a5dff05a8db261a75a0deda	False	0.27880859375	data	2.6542421841999686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x10000	0x1ff	0x200	49d1ec1d6eed7ca336017bbbebab7b7d	False	0.978515625	data	6.805048281534057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf0d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.2782258064516129
RT_ICON	0xf3c4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.4189189189189189
RT_GROUP_ICON	0xf4f0	0x22	data	English	United States	1.0

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.dll	RegCloseKey
MSVCRT.dll	memset
USER32.dll	wsprintfA
WS2_32.dll	gethostname

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2024 14:36:44.969635010 CET	49704	1034	192.168.2.5	172.16.1.2
Mar 18, 2024 14:36:45.984373093 CET	49704	1034	192.168.2.5	172.16.1.2
Mar 18, 2024 14:36:47.984302998 CET	49704	1034	192.168.2.5	172.16.1.2
Mar 18, 2024 14:36:51.984210014 CET	49704	1034	192.168.2.5	172.16.1.2
Mar 18, 2024 14:36:59.985518932 CET	49704	1034	192.168.2.5	172.16.1.2
Mar 18, 2024 14:37:05.986304045 CET	49713	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:37:06.984210968 CET	49713	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:37:08.984183073 CET	49713	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:37:12.984208107 CET	49713	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:37:20.984225035 CET	49713	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:37:27.000973940 CET	49714	1034	192.168.2.5	172.16.1.166
Mar 18, 2024 14:37:27.999804974 CET	49714	1034	192.168.2.5	172.16.1.166
Mar 18, 2024 14:37:30.015433073 CET	49714	1034	192.168.2.5	172.16.1.166
Mar 18, 2024 14:37:34.015373945 CET	49714	1034	192.168.2.5	172.16.1.166
Mar 18, 2024 14:37:42.015577078 CET	49714	1034	192.168.2.5	172.16.1.166
Mar 18, 2024 14:38:09.048047066 CET	49729	1034	192.168.2.5	10.0.2.15
Mar 18, 2024 14:38:10.046597004 CET	49729	1034	192.168.2.5	10.0.2.15
Mar 18, 2024 14:38:12.202869892 CET	49729	1034	192.168.2.5	10.0.2.15
Mar 18, 2024 14:38:16.202822924 CET	49729	1034	192.168.2.5	10.0.2.15
Mar 18, 2024 14:38:24.202841997 CET	49729	1034	192.168.2.5	10.0.2.15
Mar 18, 2024 14:39:33.891578913 CET	49733	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:39:34.937231064 CET	49733	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:39:36.937122107 CET	49733	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:39:40.937230110 CET	49733	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:39:49.046524048 CET	49733	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:40:16.673929930 CET	49735	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:40:17.749619007 CET	49735	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:40:19.843365908 CET	49735	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:40:23.843312979 CET	49735	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:40:31.937041998 CET	49735	1034	192.168.2.5	172.16.1.4
Mar 18, 2024 14:40:37.938071012 CET	49736	1034	192.168.2.5	172.16.1.170
Mar 18, 2024 14:40:38.999562025 CET	49736	1034	192.168.2.5	172.16.1.170
Mar 18, 2024 14:40:40.999578953 CET	49736	1034	192.168.2.5	172.16.1.170
Mar 18, 2024 14:40:45.000022888 CET	49736	1034	192.168.2.5	172.16.1.170
Mar 18, 2024 14:40:52.999541998 CET	49736	1034	192.168.2.5	172.16.1.170

Target ID:	0
Start time:	14:36:43
Start date:	18/03/2024
Path:	C:\Users\user\Desktop\mail.txt .exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\mail.txt .exe
Imagebase:	0x500000
File size:	42'966 bytes
MD5 hash:	EDF4FF0BC5DA6DABD5E7B78113D73BD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MyDoom, Description: Yara detected MyDoom, Source: 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	14:36:43
Start date:	18/03/2024
Path:	C:\Windows\services.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\services.exe
Imagebase:	0x400000
File size:	8'192 bytes
MD5 hash:	B0FE74719B1B647E2056641931907F4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	3
Start time:	14:36:53
Start date:	18/03/2024
Path:	C:\Windows\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\java.exe"
Imagebase:	0x500000
File size:	42'966 bytes
MD5 hash:	EDF4FF0BC5DA6DABD5E7B78113D73BD8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MyDoom, Description: Yara detected MyDoom, Source: 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	14:36:53
Start date:	18/03/2024
Path:	C:\Users\user\AppData\Local\Temp\services.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\services.exe
Imagebase:	0x400000
File size:	8'192 bytes
MD5 hash:	B0FE74719B1B647E2056641931907F4A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	5
Start time:	14:37:01
Start date:	18/03/2024
Path:	C:\Windows\services.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\services.exe"
Imagebase:	0x400000
File size:	8'192 bytes
MD5 hash:	B0FE74719B1B647E2056641931907F4A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	14:37:46
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 1264
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true