Windows Analysis Report
KJKJJJECFI.exe

Overview

General Information

Sample name:	KJKJJJECFI.exe
Analysis ID:	1420081
MD5:	ce355f68f7fb9bcc5a1e140da2398489
SHA1:	917b5d290b3a0a28e092ccd53d6f9206223d9293
SHA256:	56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Antivirus detection for URL or domain

Source: pleasurecanbesafe.com/7vAficZogD/index.php

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qsbtcxh

Avira: detection malicious, Label: HEUR/AGEN.1319380

Found malware configuration

Source: 2.2.cmd.exe.60400c8.7.unpack

Malware Configuration Extractor: Amadey {"C2 url": "pleasurecanbesafe.com/7vAficZogD/index.php", "Version": "4.18"}

Multi AV Scanner detection for domain / URL

Source: pleasurecanbesafe.com/7vAficZogD/index.php

Virustotal: Detection: 18%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qsbtcxh	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\qsbtcxh	Virustotal: Detection: 76%			Perma Link

Multi AV Scanner detection for submitted file

Source: KJKJJJECFI.exe	ReversingLabs: Detection: 87%
Source: KJKJJJECFI.exe	Virustotal: Detection: 68%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qsbtcxh

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: pleasurecanbesafe.com
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: /7vAficZogD/index.php
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: S-%lu-
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: 40c3273379
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Dctooux.exe
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Startup
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: rundll32
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Programs
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: %USERPROFILE%
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: http://
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: https://
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: /Plugins/
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: &unit=
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: shell32.dll
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: kernel32.dll
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: GetNativeSystemInfo
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ProgramData\
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: AVAST Software
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Kaspersky Lab
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Panda Security
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Doctor Web
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: 360TotalSecurity
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Bitdefender
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Norton
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Sophos
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Comodo
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: WinDefender
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: 0123456789
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ------
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ?scr=1
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ComputerName
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: -unicode-
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: VideoID
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: DefaultSettings.XResolution
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: DefaultSettings.YResolution
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ProductName
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: CurrentBuild
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: rundll32.exe
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: "taskkill /f /im "
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: " && timeout 1 && del
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: && Exit"
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: " && ren
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Powershell.exe
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: shutdown -s -t 0
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: random

Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e2355f6c-3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KJKJJJECFI.exe PID: 380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2792, type: MEMORYSTR

Uses 32bit PE files

Source: KJKJJJECFI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 155.101.98.133:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: KJKJJJECFI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: KJKJJJECFI.exe
Source:	Binary string: CareUEyes.pdb source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdbUGP source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdb source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CareUEyes.pdb&a source: KJKJJJECFI.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: pleasurecanbesafe.com/7vAficZogD/index.php

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 155.101.98.133 155.101.98.133

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /docs/info/regex_1.html HTTP/1.1User-Agent: howHost: www.math.utah.edu

Source: unknown

DNS traffic detected: queries for: www.math.utah.edu

Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/analyzer/tj.html?uuid=%s&tm=%I64d&ver=%s&it=%s&reg=%dhttp://care-e
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/config/switch.datenablehttp://care-eyes.com/careueyes/v1/config/sw
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eye
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/pay/query_license.php&method=leftcodesubscriptionend
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/invite/query_rewards.phpid=http://care-eyes.com/invite.html?inv=%s/RtlGetNtVers
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.d
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicer
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: KJKJJJECFI.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://s.symcd.com06
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: KJKJJJECFI.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: KJKJJJECFI.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: KJKJJJECFI.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005B77000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.0000000005623000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: KJKJJJECFI.exe	String found in binary or memory: https://api.myip.la/en?jsonhttp://ip-api.com/jsonhttps://ipv4.ip.nf/me.jsonhttps://freegeoip.app/jso
Source: KJKJJJECFI.exe	String found in binary or memory: https://bit.ly/3feVIiY
Source: Sendevsvc.exe, 00000007.00000003.2228548837.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, Sendevsvc.exe, 00000007.00000003.2228163024.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3feVIiYUEyes
Source: KJKJJJECFI.exe, 00000000.00000003.1976607989.0000000001A10000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1997071563.0000000001A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3feVIiYfinder
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/buy.html?uuid=%s&tm=%I64d&ver=%s&it=%sd
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/how-to-use-magicx-feature/%.2fs$
Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp, KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://care-eyes.com/how-to-use-magicx-feature/%.2fs$8
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/how-to-use-sunrise-sunset-feature/openslider_orange_progressslider_orange_bart
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/license-reset.html
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/what-is-pomodoro-technique/
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com?about
Source: KJKJJJECFI.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.co
Source: KJKJJJECFI.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: KJKJJJECFI.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: KJKJJJECFI.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/
Source: KJKJJJECFI.exe	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html/
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html0
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmlU
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmlws
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmly

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 155.101.98.133:443 -> 192.168.2.5:49707 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

PE / OLE file has an invalid certificate

Source: KJKJJJECFI.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: KJKJJJECFI.exe, 00000000.00000002.1999157020.000000000612D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000064E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: kernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1998361646.0000000005422000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ekernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: kernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe	Binary or memory string: Ekernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: nvapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: profapi.dll	Jump to behavior

Uses 32bit PE files

Source: KJKJJJECFI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@7/4@1/1

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File created: C:\Users\user\AppData\Roaming\careueyes

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File created: C:\Users\user\AppData\Local\Temp\4476cd9c

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: KJKJJJECFI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KJKJJJECFI.exe	ReversingLabs: Detection: 87%
Source: KJKJJJECFI.exe	Virustotal: Detection: 68%

Source: KJKJJJECFI.exe	String found in binary or memory: id-cmc-addExtensions
Source: KJKJJJECFI.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File read: C:\Users\user\Desktop\KJKJJJECFI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KJKJJJECFI.exe "C:\Users\user\Desktop\KJKJJJECFI.exe"
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe "C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe"
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: ivls.2.dr

LNK file: ..\..\Roaming\NBFoundation\Sendevsvc.exe

Source: KJKJJJECFI.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KJKJJJECFI.exe

Static file information: File size 6699592 > 1048576

Source: KJKJJJECFI.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37b800
Source: KJKJJJECFI.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x137600
Source: KJKJJJECFI.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x163600

Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: KJKJJJECFI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: KJKJJJECFI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: KJKJJJECFI.exe
Source:	Binary string: CareUEyes.pdb source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdbUGP source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdb source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CareUEyes.pdb&a source: KJKJJJECFI.exe

PE file contains an invalid checksum

Source: qsbtcxh.2.dr	Static PE information: real checksum: 0x0 should be: 0x6e9ad
Source: KJKJJJECFI.exe	Static PE information: real checksum: 0x3dab6c should be: 0x66661f

PE file contains sections with non-standard names

Source: qsbtcxh.2.dr

Static PE information: section name: lxp

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\qsbtcxh

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\qsbtcxh

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QSBTCXH

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qsbtcxh

Jump to dropped file

Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Qvmware
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1997071563.0000000001A8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\KJKJJJECFI.exe	NtSetInformationThread: Direct from: 0x10F1A4F			Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	NtQuerySystemInformation: Direct from: 0x5A9D020			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2792 base: 5179C0 value: 55			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2792 base: 2980000 value: 00			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5179C0			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2980000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: KJKJJJECFI.exe	Binary or memory string: Eskin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl
Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp, KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: skin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl
Source: Sendevsvc.exe, 00000007.00000000.2222647313.000000000074D000.00000002.00000001.01000000.0000000C.sdmp, Sendevsvc.exe, 00000007.00000002.2229766624.000000000074D000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: Bskin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Code function: 0_2_01047996 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01047996

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.cmd.exe.60400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.60400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2254651788.0000000006040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2255985779.0000000002981000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qsbtcxh, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
155.101.98.133	www.math.utah.edu	United States		17055	UTAHUS	false

Contacted Domains

Name	IP	Active
www.math.utah.edu	155.101.98.133	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
pleasurecanbesafe.com/7vAficZogD/index.php	true	18%, Virustotal, Browse Avira URL Cloud: phishing	low
https://www.math.utah.edu/docs/info/regex_1.html	false		high

AV Detection

Antivirus detection for URL or domain

Source: pleasurecanbesafe.com/7vAficZogD/index.php

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qsbtcxh

Avira: detection malicious, Label: HEUR/AGEN.1319380

Found malware configuration

Source: 2.2.cmd.exe.60400c8.7.unpack

Malware Configuration Extractor: Amadey {"C2 url": "pleasurecanbesafe.com/7vAficZogD/index.php", "Version": "4.18"}

Multi AV Scanner detection for domain / URL

Source: pleasurecanbesafe.com/7vAficZogD/index.php

Virustotal: Detection: 18%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qsbtcxh	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\qsbtcxh	Virustotal: Detection: 76%			Perma Link

Multi AV Scanner detection for submitted file

Source: KJKJJJECFI.exe	ReversingLabs: Detection: 87%
Source: KJKJJJECFI.exe	Virustotal: Detection: 68%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qsbtcxh

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: pleasurecanbesafe.com
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: /7vAficZogD/index.php
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: S-%lu-
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: 40c3273379
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Dctooux.exe
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Startup
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: rundll32
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Programs
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: %USERPROFILE%
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: http://
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: https://
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: /Plugins/
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: &unit=
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: shell32.dll
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: kernel32.dll
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: GetNativeSystemInfo
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ProgramData\
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: AVAST Software
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Kaspersky Lab
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Panda Security
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Doctor Web
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: 360TotalSecurity
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Bitdefender
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Norton
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Sophos
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Comodo
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: WinDefender
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: 0123456789
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ------
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ?scr=1
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ComputerName
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: -unicode-
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: VideoID
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: DefaultSettings.XResolution
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: DefaultSettings.YResolution
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: ProductName
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: CurrentBuild
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: rundll32.exe
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: "taskkill /f /im "
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: " && timeout 1 && del
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: && Exit"
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: " && ren
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: Powershell.exe
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: shutdown -s -t 0
Source: 2.2.cmd.exe.60400c8.7.unpack	String decryptor: random

Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e2355f6c-3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KJKJJJECFI.exe PID: 380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2792, type: MEMORYSTR

Uses 32bit PE files

Source: KJKJJJECFI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 155.101.98.133:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: KJKJJJECFI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: KJKJJJECFI.exe
Source:	Binary string: CareUEyes.pdb source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdbUGP source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdb source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CareUEyes.pdb&a source: KJKJJJECFI.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: pleasurecanbesafe.com/7vAficZogD/index.php

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 155.101.98.133 155.101.98.133

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /docs/info/regex_1.html HTTP/1.1User-Agent: howHost: www.math.utah.edu

Source: unknown

DNS traffic detected: queries for: www.math.utah.edu

Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: KJKJJJECFI.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/analyzer/tj.html?uuid=%s&tm=%I64d&ver=%s&it=%s&reg=%dhttp://care-e
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/config/switch.datenablehttp://care-eyes.com/careueyes/v1/config/sw
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eye
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/careueyes/v1/pay/query_license.php&method=leftcodesubscriptionend
Source: KJKJJJECFI.exe	String found in binary or memory: http://care-eyes.com/invite/query_rewards.phpid=http://care-eyes.com/invite.html?inv=%s/RtlGetNtVers
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.d
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicer
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: KJKJJJECFI.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: KJKJJJECFI.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: KJKJJJECFI.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://s.symcd.com06
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: KJKJJJECFI.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: KJKJJJECFI.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: KJKJJJECFI.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: KJKJJJECFI.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005B77000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.0000000005623000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: KJKJJJECFI.exe	String found in binary or memory: https://api.myip.la/en?jsonhttp://ip-api.com/jsonhttps://ipv4.ip.nf/me.jsonhttps://freegeoip.app/jso
Source: KJKJJJECFI.exe	String found in binary or memory: https://bit.ly/3feVIiY
Source: Sendevsvc.exe, 00000007.00000003.2228548837.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, Sendevsvc.exe, 00000007.00000003.2228163024.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3feVIiYUEyes
Source: KJKJJJECFI.exe, 00000000.00000003.1976607989.0000000001A10000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1997071563.0000000001A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bit.ly/3feVIiYfinder
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/buy.html?uuid=%s&tm=%I64d&ver=%s&it=%sd
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/how-to-use-magicx-feature/%.2fs$
Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp, KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://care-eyes.com/how-to-use-magicx-feature/%.2fs$8
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/how-to-use-sunrise-sunset-feature/openslider_orange_progressslider_orange_bart
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/license-reset.html
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com/what-is-pomodoro-technique/
Source: KJKJJJECFI.exe	String found in binary or memory: https://care-eyes.com?about
Source: KJKJJJECFI.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.co
Source: KJKJJJECFI.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: KJKJJJECFI.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: KJKJJJECFI.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/
Source: KJKJJJECFI.exe	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html/
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html0
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmlU
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmlws
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmly

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 155.101.98.133:443 -> 192.168.2.5:49707 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

PE / OLE file has an invalid certificate

Source: KJKJJJECFI.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: KJKJJJECFI.exe, 00000000.00000002.1999157020.000000000612D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000064E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: kernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000002.1998361646.0000000005422000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ekernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: kernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
Source: KJKJJJECFI.exe	Binary or memory string: Ekernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: nvapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe	Section loaded: profapi.dll	Jump to behavior

Uses 32bit PE files

Source: KJKJJJECFI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@7/4@1/1

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File created: C:\Users\user\AppData\Roaming\careueyes

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File created: C:\Users\user\AppData\Local\Temp\4476cd9c

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: KJKJJJECFI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KJKJJJECFI.exe	ReversingLabs: Detection: 87%
Source: KJKJJJECFI.exe	Virustotal: Detection: 68%

Source: KJKJJJECFI.exe	String found in binary or memory: id-cmc-addExtensions
Source: KJKJJJECFI.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

File read: C:\Users\user\Desktop\KJKJJJECFI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KJKJJJECFI.exe "C:\Users\user\Desktop\KJKJJJECFI.exe"
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe "C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe"
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: ivls.2.dr

LNK file: ..\..\Roaming\NBFoundation\Sendevsvc.exe

Source: KJKJJJECFI.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KJKJJJECFI.exe

Static file information: File size 6699592 > 1048576

Source: KJKJJJECFI.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x37b800
Source: KJKJJJECFI.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x137600
Source: KJKJJJECFI.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x163600

Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KJKJJJECFI.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: KJKJJJECFI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: KJKJJJECFI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: KJKJJJECFI.exe
Source:	Binary string: CareUEyes.pdb source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdbUGP source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: KJKJJJECFI.exe
Source:	Binary string: wntdll.pdb source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CareUEyes.pdb&a source: KJKJJJECFI.exe

PE file contains an invalid checksum

Source: qsbtcxh.2.dr	Static PE information: real checksum: 0x0 should be: 0x6e9ad
Source: KJKJJJECFI.exe	Static PE information: real checksum: 0x3dab6c should be: 0x66661f

PE file contains sections with non-standard names

Source: qsbtcxh.2.dr

Static PE information: section name: lxp

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\qsbtcxh

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\qsbtcxh

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QSBTCXH

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qsbtcxh

Jump to dropped file

Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Qvmware
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1997071563.0000000001A8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\KJKJJJECFI.exe	NtSetInformationThread: Direct from: 0x10F1A4F			Jump to behavior
Source: C:\Users\user\Desktop\KJKJJJECFI.exe	NtQuerySystemInformation: Direct from: 0x5A9D020			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2792 base: 5179C0 value: 55			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2792 base: 2980000 value: 00			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 5179C0			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2980000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KJKJJJECFI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: KJKJJJECFI.exe	Binary or memory string: Eskin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl
Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp, KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: skin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl
Source: Sendevsvc.exe, 00000007.00000000.2222647313.000000000074D000.00000002.00000001.01000000.0000000C.sdmp, Sendevsvc.exe, 00000007.00000002.2229766624.000000000074D000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: Bskin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\KJKJJJECFI.exe

Code function: 0_2_01047996 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01047996

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.cmd.exe.60400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.60400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2254651788.0000000006040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2255985779.0000000002981000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qsbtcxh, type: DROPPED

ID:	1420081
Product:	CloudBasic
Start time:	12:36:09
Start date:	04.04.2024
Sample:	KJKJJJECFI.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ce355f68f7fb9bcc5a1e140da2398489
SHA1:	917b5d290b3a0a28e092ccd53d6f9206223d9293
SHA256:	56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\regex_1[1].htm	HTML document, ASCII text	3BCAC0C44DB080CE09E54DA0902D215B	63FD5AA932400DB98514798180CB3AFB9039F622	E2BDD382B97FE8630663685ADC8C718E67C405B4D66AC54F9FA5BA5DC04A8D07
C:\Users\user\AppData\Local\Temp\4476cd9c	data	04AFEC2C99CD93234E4FF565A7D19794	61321775F904DB8AC0B19ABF3EBF84D4D84BC9DD	C563247275EEEC2A8C9C6A486AED1858B2FA5FED674C4EE3E171D138B66BEAC8
C:\Users\user\AppData\Local\Temp\ivls	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 13:16:50 2023, mtime=Thu Apr 4 09:36:55 2024, atime=Thu Apr 4 09:36:52 2024, length=6699592, window=hide	AEB050D811A6A888EA7862E28F0A744E	D6D2C44432BD89C62634F991ED5A8890B7A6EBBB	8C829AD064618C8AB75F11130A027A28B179327335897EF07DF2E47245F0DED3
C:\Users\user\AppData\Local\Temp\qsbtcxh	PE32 executable (GUI) Intel 80386, for MS Windows	3E36745728E1302C0DD36455A818DA59	83207703EE94B56A583D676FD281A1078832798C	8B224791DCD7DD8337A5115B432E1B847F6D5D418BADB39BC0F50C19981C9D9A

Windows Analysis Report
KJKJJJECFI.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report KJKJJJECFI.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
KJKJJJECFI.exe

Malware Threat Intel
Provided by