Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

oyjijsfjjtyhad.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.301336614433911
Filename:	oyjijsfjjtyhad.exe
Filesize:	550912
MD5:	bd0fdaabed40d16fffeac608d7a68822
SHA1:	f2a5d6a2be78424dc598ebb636401add7f2feef9
SHA256:	b3f87af043d22e844171b6bf66e4a6d966d880c0dd8e8aa61f25ac382546b3af
SHA512:	4db0cfb69e03d0658874389180bdac7c20d75565fbd77ec9adffb00ce59250ef036497bc9cf46383baa449528ba1208bdfbfc06f06c45df94fbc348612f3f45f
SSDEEP:	6144:sYqdc0NkzDVUTfmTIlA41tBcN3p0NIb88WsNMPaKFP3b2V122J0sL:s9J8qjXLcN3CNIb88WsNMP5F1k
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.n...............0.................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Reads the System eventlog	Spam, unwanted Advertisements and Ransom Demands
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Enables debug privileges	Anti Debugging
Enables security privileges	System Summary
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\oyjijsfjjtyhad.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\oyjijsfjjtyhad.exe.log
Category:	dropped
Dump:	oyjijsfjjtyhad.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\oyjijsfjjtyhad.exe
Type:	CSV text
Entropy:	5.370111951859942
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
Size:	1281
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\oyjijsfjjtyhad.exe

"C:\Users\user\Desktop\oyjijsfjjtyhad.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6532
Target ID:	0
Parent PID:	4056
Name:	oyjijsfjjtyhad.exe
Path:	C:\Users\user\Desktop\oyjijsfjjtyhad.exe
Commandline:	"C:\Users\user\Desktop\oyjijsfjjtyhad.exe"
Size:	550912
MD5:	BD0FDAABED40D16FFFEAC608D7A68822
Time:	12:53:10
Date:	11/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3c0000
Modulesize:	573440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6512
Target ID:	1
Parent PID:	6532
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:53:10
Date:	11/03/2025
Reason:	newprocess
Reputation:	timeout
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e60e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ip.sb/ip

unknown

Details

Name:	https://api.ip.sb/ip
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\oyjijsfjjtyhad.exe
Source:	oyjijsfjjtyhad.exe, 00000000.00000002.969232431.0000000002718000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ip.s

unknown

https://discord.com/api/v9/users/

unknown

Details

Name:	https://discord.com/api/v9/users/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\oyjijsfjjtyhad.exe
Source:	oyjijsfjjtyhad.exe, 00000000.00000002.969232431.00000000027DD000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

9AC000

heap

page read and write

9C6000

heap

page read and write

9E1000

heap

page read and write

B60000

heap

page read and write

2897000

trusted library allocation

page read and write

3C0000

unkown

page readonly

26A0000

heap

page execute and read and write

7FF9368F0000

trusted library allocation

page execute and read and write

2811000

trusted library allocation

page read and write

A67000

heap

page read and write

28A8000

trusted library allocation

page read and write

1AFC0000

heap

page read and write

1B210000

heap

page execute and read and write

582000

stack

page read and write

1B00D000

heap

page read and write

1AF9E000

heap

page read and write

900000

heap

page read and write

7FF936830000

trusted library allocation

page execute and read and write

A0D000

heap

page read and write

2857000

trusted library allocation

page read and write

1AC3C000

stack

page read and write

286A000

trusted library allocation

page read and write

1E5AE000

stack

page read and write

28DB000

trusted library allocation

page read and write

28DD000

trusted library allocation

page read and write

1B4DD000

stack

page read and write

1AFB6000

heap

page read and write

7FF9367C6000

trusted library allocation

page read and write

28CE000

trusted library allocation

page read and write

7FF9368D0000

trusted library allocation

page read and write

950000

trusted library allocation

page read and write

A82000

heap

page read and write

2839000

trusted library allocation

page read and write

7FF9367D0000

trusted library allocation

page execute and read and write

9A0000

heap

page read and write

1C5E0000

heap

page read and write

B85000

heap

page read and write

1B3D0000

heap

page read and write

A9C000

heap

page read and write

2895000

trusted library allocation

page read and write

1CCE2000

trusted library allocation

page read and write

7FF9368B0000

trusted library allocation

page read and write

7FF93673D000

trusted library allocation

page execute and read and write

1AFA9000

heap

page read and write

1B300000

heap

page read and write

2835000

trusted library allocation

page read and write

284A000

trusted library allocation

page read and write

1AFAF000

heap

page read and write

28B9000

trusted library allocation

page read and write

285D000

trusted library allocation

page read and write

1AFEE000

heap

page read and write

9A6000

heap

page read and write

284C000

trusted library allocation

page read and write

28F0000

trusted library allocation

page read and write

A98000

heap

page read and write

26B1000

trusted library allocation

page read and write

1B008000

heap

page read and write

B80000

heap

page read and write

1AFCD000

heap

page read and write

A7B000

heap

page read and write

7FF93672D000

trusted library allocation

page execute and read and write

3C2000

unkown

page readonly

2860000

trusted library allocation

page read and write

1AF93000

heap

page read and write

7FF936713000

trusted library allocation

page execute and read and write

283D000

trusted library allocation

page read and write

1AFC5000

heap

page read and write

28AA000

trusted library allocation

page read and write

1AF80000

heap

page read and write

A3C000

heap

page read and write

284F000

trusted library allocation

page read and write

7FF9367F6000

trusted library allocation

page execute and read and write

9DE000

heap

page read and write

287F000

trusted library allocation

page read and write

1B518000

heap

page read and write

286E000

trusted library allocation

page read and write

28C8000

trusted library allocation

page read and write

289B000

trusted library allocation

page read and write

1B4F0000

heap

page read and write

B00000

trusted library section

page readonly

126B6000

trusted library allocation

page read and write

5D0000

heap

page read and write

126B8000

trusted library allocation

page read and write

28EC000

trusted library allocation

page read and write

2751000

trusted library allocation

page read and write

28BD000

trusted library allocation

page read and write

2899000

trusted library allocation

page read and write

28C0000

trusted library allocation

page read and write

7FF4A5DD0000

trusted library allocation

page execute and read and write

1B4E0000

heap

page read and write

7FF9368E0000

trusted library allocation

page read and write

126B3000

trusted library allocation

page read and write

B10000

heap

page read and write

9CB000

heap

page read and write

2940000

trusted library allocation

page read and write

1B305000

heap

page read and write

7FF9367C0000

trusted library allocation

page read and write

1B0B3000

heap

page read and write

28EA000

trusted library allocation

page read and write

7FF9368C0000

trusted library allocation

page read and write

28AC000

trusted library allocation

page read and write

2718000

trusted library allocation

page read and write

28AE000

trusted library allocation

page read and write

9C9000

heap

page read and write

7FF936714000

trusted library allocation

page read and write

28EE000

trusted library allocation

page read and write

262E000

stack

page read and write

27DD000

trusted library allocation

page read and write

5E0000

heap

page read and write

7FF9367CC000

trusted library allocation

page execute and read and write

7FF93671D000

trusted library allocation

page execute and read and write

28CC000

trusted library allocation

page read and write

28CA000

trusted library allocation

page read and write

126B1000

trusted library allocation

page read and write

7FF93673B000

trusted library allocation

page execute and read and write

A0B000

heap

page read and write

8D0000

heap

page read and write

1AFF3000

heap

page read and write

7FF936730000

trusted library allocation

page read and write

1E7AF000

stack

page read and write

26F9000

trusted library allocation

page read and write

A94000

heap

page read and write

1B010000

heap

page read and write

28B7000

trusted library allocation

page read and write

2848000

trusted library allocation

page read and write

28BB000

trusted library allocation

page read and write

7FF936734000

trusted library allocation

page read and write

283B000

trusted library allocation

page read and write

1D1BE000

stack

page read and write

28A6000

trusted library allocation

page read and write

D8E000

stack

page read and write

1B0B0000

heap

page read and write

3C0000

unkown

page readonly

1E6AE000

stack

page read and write

C8E000

stack

page read and write

1B005000

heap

page read and write

910000

heap

page read and write

28D0000

trusted library allocation

page read and write

287D000

trusted library allocation

page read and write

2870000

trusted library allocation

page read and write

905000

heap

page read and write

970000

trusted library allocation

page read and write

28E8000

trusted library allocation

page read and write

AD0000

heap

page read and write

2837000

trusted library allocation

page read and write

7FF936723000

trusted library allocation

page read and write

A8A000

heap

page read and write

2822000

trusted library allocation

page read and write

286C000

trusted library allocation

page read and write

7FF93676C000

trusted library allocation

page execute and read and write

3EE000

unkown

page readonly

There are 141 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
oyjijsfjjtyhad.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportoyjijsfjjtyhad.exe

Files

Processes

URLs

Memdumps

IOC Report
oyjijsfjjtyhad.exe