Edit tour

Windows Analysis Report
hBB2KnTndI.exe

Overview

General Information

Sample Name:	hBB2KnTndI.exe
Analysis ID:	635800
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
Tags:	32exetrojan
Infos:

Detection

Amadey

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Contains functionality to prevent local Windows debugging

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

hBB2KnTndI.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\hBB2KnTndI.exe" MD5: B413FF6E943C415AFC26640FF535C724)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AppLaunch.exe (PID: 6860 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

orxds.exe (PID: 6924 cmdline: "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe" MD5: 6807F903AC06FF7E1670181378690B22)

WerFault.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.262491711.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.264188526.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000000.264842182.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.hBB2KnTndI.exe.8a0000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.hBB2KnTndI.exe.8a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.hBB2KnTndI.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.0.hBB2KnTndI.exe.400000.2.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hBB2KnTndI.exe	Virustotal: Detection: 39%			Perma Link
Source: hBB2KnTndI.exe	ReversingLabs: Detection: 39%

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000000.265811134.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then sub esp, 1Ch
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then push ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 0046E320h
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 4x nop then jmp 00484510h

Source: hBB2KnTndI.exe

String found in binary or memory: http://gcc.gnu.org/bugs.html):

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00407090 CreateMutexW,GetLastError,GetFileAttributesA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402150 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

Source: hBB2KnTndI.exe, 00000000.00000000.265140513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: hBB2KnTndI.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00468160
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CD137
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C250
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004503C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004593D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454440
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00466420
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00467430
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004BA540
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044B500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00456500
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044D5E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004416C0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004656F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D87F0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0045A780
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041C8E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004428E0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00457970
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004439D0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044AA40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044CA70
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044EA00
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00453A30
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DBB27
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DBC47
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00420CD0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004D8C88
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00425D40
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00445DE0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00450DA0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00444DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00459DB0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DDE50
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004DCE9D
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00452F60
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00454F10
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0041AFC0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00414FF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0043DFF0
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00449F90
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0044BFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00422868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00409877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00404120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00426A7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00427A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004223D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00416D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00425707

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004C9BD0 appears 34 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 0040146E appears 85 times
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: String function: 004A57E0 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004123E0 appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: String function: 004137B0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: String function: 00DCFB02 appears 62 times

Source: hBB2KnTndI.exe

Static PE information: invalid certificate

Source: hBB2KnTndI.exe

Static PE information: Number of sections : 16 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe 115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5

Source: hBB2KnTndI.exe	Virustotal: Detection: 39%
Source: hBB2KnTndI.exe	ReversingLabs: Detection: 39%

Source: hBB2KnTndI.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\hBB2KnTndI.exe "C:\Users\user\Desktop\hBB2KnTndI.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f

Jump to behavior

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@7/5@0/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hBB2KnTndI.exe

Static file information: File size 2476494 > 1048576

Source:	Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: hBB2KnTndI.exe, hBB2KnTndI.exe, 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000005.00000002.267846742.000000000042B000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: applaunch.pdb source: orxds.exe, orxds.exe, 00000007.00000000.265811134.0000000000DC1000.00000020.00000001.01000000.00000004.sdmp, orxds.exe.5.dr

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004115A7 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A160 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D2D0 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047C3C0 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479530 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0046A690 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00479780 push eax; mov dword ptr [esp], ebx
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_0047D920 push eax; mov dword ptr [esp], ebx
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004137F6 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_00DCF8E8 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_00DCFAD0 push ecx; ret

Source: hBB2KnTndI.exe	Static PE information: section name: /4
Source: hBB2KnTndI.exe	Static PE information: section name: /14
Source: hBB2KnTndI.exe	Static PE information: section name: /29
Source: hBB2KnTndI.exe	Static PE information: section name: /41
Source: hBB2KnTndI.exe	Static PE information: section name: /55
Source: hBB2KnTndI.exe	Static PE information: section name: /67
Source: hBB2KnTndI.exe	Static PE information: section name: /80
Source: hBB2KnTndI.exe	Static PE information: section name: /91
Source: hBB2KnTndI.exe	Static PE information: section name: /102

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

Source: hBB2KnTndI.exe

Static PE information: real checksum: 0x2619f8 should be: 0x25f5ed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_00DCD53A rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Evaded block: after key decision

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	API coverage: 8.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00424F00 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_0041E292 FindFirstFileExW,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00402C50 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_00DCD53A rdtsc

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_00411C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CF542 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004CB7B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004EEBEC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00419122 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00415391 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Code function: 0_2_004011A5 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,KiUserExceptionDispatcher,_cexit,ExitProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413738 SetUnhandledExceptionFilter,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00413983 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_00417C96 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 5_2_004135D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	Code function: 7_2_00DCF580 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B1008

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004EEC21 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Code function: 7_2_00DC915E LoadLibraryExW,GetProcAddress,FreeLibrary,IsDebuggerPresent,DebugBreak,

Source: C:\Users\user\Desktop\hBB2KnTndI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe "C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"

Source: C:\Users\user\Desktop\hBB2KnTndI.exe

Code function: 0_2_004C9813 cpuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00413811 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00421B1C _free,GetTimeZoneInformation,_free,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_00405230 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 5_2_0040F1D0 IsUserAnAdmin,GetUserNameW,GetComputerNameExW,

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hBB2KnTndI.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hBB2KnTndI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hBB2KnTndI.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.262491711.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.264188526.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.264842182.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	511 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	511 Process Injection	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hBB2KnTndI.exe	39%	Virustotal		Browse
hBB2KnTndI.exe	39%	ReversingLabs	Win32.Trojan.Jaik

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	2%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.3.hBB2KnTndI.exe.8a0000.0.unpack	100%	Avira	HEUR/AGEN.1237917		Download File
5.2.AppLaunch.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1237910		Download File

Name	Source	Malicious	Antivirus Detection	Reputation
http://gcc.gnu.org/bugs.html):	hBB2KnTndI.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635800
Start date and time: 29/05/202219:42:26	2022-05-29 19:42:26 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	hBB2KnTndI.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spyw.evad.winEXE@7/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.3% (good quality ratio 2.6%) Quality average: 50.5% Quality standard deviation: 35.1%
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.21
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_1b4c45b6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6825554213562323
Encrypted:	false
SSDEEP:	96:E2F95Q1hDNH7DAfFpXIQcQvc6QcEDMcw3Dz+HbHg/5VG4rmMOyWZAXGng5FMTPSy:bv5gF8HBUZMXwjlq/u7s9S274ItE
MD5:	F49AA2CE34201C0ED4C6DC7E2580B784
SHA1:	94AE53C0212FAF3261D369EE8A0350552D1C4F60
SHA-256:	F9FEEC72FC0B01B4633E664EEB02CC6814AFDF2B02B091CD8618E5F7EFBFBC23
SHA-512:	9C0D924AB54E72CE3A7E679A176D027964D43AA282DB31E55086198C5A1788FB452D0C43B41DE46286C6E1075F0EF0CFBA5F9714E20FE590E6D52F254B2D83AF
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.3.5.2.2.1.8.9.0.2.7.5.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.3.5.2.2.2.2.4.0.2.7.4.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.3.5.6.6.0.2.-.1.4.2.3.-.4.1.f.c.-.a.3.9.0.-.c.7.3.0.8.4.3.a.e.8.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.6.f.e.2.5.0.-.7.b.b.3.-.4.0.3.4.-.b.6.b.9.-.b.6.d.e.d.5.9.e.2.0.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.B.B.2.K.n.T.n.d.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.d.-.2.e.4.0.-.f.9.0.8.c.f.7.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.1.9.a.6.8.d.c.7.b.4.d.3.5.6.1.6.f.6.1.b.3.2.1.2.a.4.1.d.9.f.0.0.0.0.f.f.f.f.!.0.0.0.0.f.c.c.1.3.d.5.2.b.f.2.8.4.1.6.f.3.b.8.a.5.9.4.d.5.8.1.1.3.f.d.8.8.2.8.a.4.0.9.3.!.h.B.B.2.K.n.T.n.d.I...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER325D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 30 02:43:39 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	32426
Entropy (8bit):	2.012984607377576
Encrypted:	false
SSDEEP:	192:JJlJbdOQhLD18DuPqDBJKh7E/qeQwq7A3yJ0Q:bQQl58DuSexEieQ5
MD5:	69ADA93D12ABB0E7C95863E57644450F
SHA1:	23B31CC845750963355D8E4660D81C46008008A1
SHA-256:	2EA59657AA7702D7A3BC07DA5AF7FF2B8308E8773A19679275F97FE4ABDE4326
SHA-512:	74FA6F6D6B5A80E573AB97F23D852B98A560AFD7113B53BF715263DA1FDADD19979D6B5A5AC42249BDD182F03E7222B5DCF757A318FDB60BD278C4A8E80A5B3D
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......[/.b........................................H...........T.......8...........T................s...........................................................................................U...........B..............GenuineIntelW...........T.......@...M/.b.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36B3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.698076292139725
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiZX6mq6YWoSUH6qiNAgmfcSQoCpr489bnUsfgNm:RrlsNip696YJSUH6agmfcSKnHfH
MD5:	27A6D542C4C16DC1970A3F52A30DDC6B
SHA1:	D2CFB22FCEF5BECA746739AF241D23EBB41ABBE0
SHA-256:	4DACF9F643C7197F00BF93F42F1412C6E8615F440964804A4E9DCD97CA505B50
SHA-512:	34E344EB617A86963AEE9DADCC7EF5E50912A88B99681609C0A7CC095D862BA96CA9F16480CC3C2B2F027DE3E1C0B5971D289DE3F8EF67C4EA9002ED24E3ACC4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A6D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4568
Entropy (8bit):	4.464078860628713
Encrypted:	false
SSDEEP:	48:cvIwSD8zsEJgtWI9vsDmWgc8sqYj5ya8fm8M4J0HFf2j+q8Qq02jKlkd:uITfCisDngrsqYdyvJZI02jekd
MD5:	A8031E7E8BF09A8436C1A691EBDF881D
SHA1:	851D82DCE40546C019AA67F0C915511A25FBF8AE
SHA-256:	75DC3A49DAAB91D935325967AD398B780C096D71F941C53D0ABDD70616C70974
SHA-512:	5BBAA17FAEED418F2426365AA6FA8A376B764A41C18203CE72809493DE712C13D07DF9B9328B1756001AD6646DF6644BAB71391089AD3AD659C02F559487784E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1537194" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98912
Entropy (8bit):	6.288162510609848
Encrypted:	false
SSDEEP:	1536:mdCQC+TbenjRV4hbdZ7Fbk7zrbITCFcnMeaYNVq7B7d:mdCQZTbejTHXACFcnMjiMJ
MD5:	6807F903AC06FF7E1670181378690B22
SHA1:	901EC730ADC4A7C8531E8DA343A977E04FDE8B03
SHA-256:	115D04150F524C103CA08E18305B0B103A3767336E19404235D2017F4B233CE5
SHA-512:	37CC7812BFD4F5A4D81D7D4B5B5906D35928856BFAF7B532481B4233AFA36E9C41C3D42D84290288A0DEB47F5D8CD54FE1280C1E0F639B8240F9AB2638716EEB
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 2%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O...!R..!R..!RR..R..!R8..R..!R8..R..!R8..R..!R8..R..!R...R..!R.. Rg.!RR..R..!R.Y.R..!R.Y.R..!R.Y.R..!RRich..!R........................PE..L..._X.Z.........."..........2............... ....@..................................@....@...... ...........................A.......P...............D..`>...`..........T..............................@............@...............................text............................... ..`.data........ ......................@....idata..j....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.357132284261992
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hBB2KnTndI.exe
File size:	2476494
MD5:	b413ff6e943c415afc26640ff535c724
SHA1:	fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256:	7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
SHA512:	ca5ac0fc7aa0ed1a615ccd628b8b97b3d83b31e0da58b9d9e23e4e9f97bfa598920119e8afbbdac6e97c994e8739651083fd1afe69384d25a1fd6bc4702ce815
SSDEEP:	24576:dofQL0YjKOTrGRTnFZUDt4KZHD6XyeOjuTfedlb0hv4d7KXl8p+NauQ5V3h357:dofQL0YjKOTrGJ7C5iOjuTWdlxd7Kc
TLSH:	1CB51A135A8B0E75DDC23BB4A1CB633E9734EE30CA2A9B7FF609C53559532C5681A702
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..b.j...R...........\...H...............p....@...................................&....... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4012e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6290AF3D [Fri May 27 11:00:13 2022 UTC]
TLS Callbacks:	0x41bc40, 0x41bbf0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0dfe559e003c7370c899d20dea7dea8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	9/2/2021 11:32:59 AM 9/1/2022 11:32:59 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	D15B2B9631F8B37BA8D83A5AE528A8BB
Thumbprint SHA-1:	8740DF4ACB749640AD318E4BE842F72EC651AD80
Thumbprint SHA-256:	2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
Serial:	33000002528B33AAF895F339DB000000000252

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000001h
call dword ptr [005372F0h]
call 00007FF19D099750h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [005372F0h]
call 00007FF19D099730h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537328h]
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
jmp dword ptr [00537318h]
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push esi
push ebx
sub esp, 10h
mov dword ptr [esp], 004F1000h
call 00007FF19D0C38A9h
sub esp, 04h
test eax, eax
je 00007FF19D099947h
mov dword ptr [esp], 004F1000h
mov ebx, eax
call 00007FF19D0C3850h
sub esp, 04h
mov dword ptr [00536A54h], eax
mov dword ptr [esp+04h], 004F1013h
mov dword ptr [esp], ebx
call 00007FF19D0C3870h
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 004F1029h
mov dword ptr [esp], ebx
call 00007FF19D0C385Bh
sub esp, 08h
mov dword ptr [004B7000h], eax
test esi, esi
je 00007FF19D0998A3h
mov dword ptr [eax+eax+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x137000	0xb98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x25a206	0x27c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x139004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x137230	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb5b5c	0xb5c00	False	0.379203114254	data	6.26139811273	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0xb7000	0x39ce8	0x39e00	False	0.75697725432	data	7.53280661319	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0xf1000	0xb1d8	0xb200	False	0.318929950843	data	5.61563738189	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/4	0xfd000	0x38a80	0x38c00	False	0.180035965033	data	4.78722613482	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0x136000	0xb60	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x137000	0xb98	0xc00	False	0.4052734375	data	4.97230024056	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT	0x138000	0x18	0x200	False	0.046875	data	0.118369631259	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls	0x139000	0x20	0x200	False	0.05859375	data	0.22482003451	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/14	0x13a000	0xd8	0x200	False	0.189453125	data	1.05435750986	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/29	0x13b000	0x14e37	0x15000	False	0.38714890253	data	6.07122897105	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/41	0x150000	0x13b8	0x1400	False	0.25234375	data	4.72334895544	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/55	0x152000	0x1f23	0x2000	False	0.54150390625	data	6.21611847392	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/67	0x154000	0x38	0x200	False	0.1171875	TIM image, (3080,1028)	0.668238434502	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/80	0x155000	0x2ae	0x400	False	0.3525390625	data	3.87768624749	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/91	0x156000	0x829a	0x8400	False	0.315814393939	data	4.14712052349	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
/102	0x15f000	0xcd8	0xe00	False	0.345145089286	data	3.1533400052	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReleaseSemaphore, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	_fdopen, _fstat, _lseek, _read, _strdup, _stricoll, _write
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _errno, _filbuf, _flsbuf, _fmode, _fpreset, _fullpath, _iob, _isctype, _onexit, _pctype, _setmode, abort, atexit, atoi, calloc, fclose, fflush, fopen, fputc, fputs, fread, free, fseek, ftell, fwrite, getenv, getwc, iswctype, localeconv, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, putwc, realloc, setlocale, setvbuf, signal, sprintf, strchr, strcmp, strcoll, strerror, strftime, strlen, strtod, strtoul, strxfrm, tolower, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm
USER32.dll	MessageBoxW

Target ID:	0
Start time:	19:43:25
Start date:	29/05/2022
Path:	C:\Users\user\Desktop\hBB2KnTndI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hBB2KnTndI.exe"
Imagebase:	0x400000
File size:	2476494 bytes
MD5 hash:	B413FF6E943C415AFC26640FF535C724
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.262491711.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.264188526.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.264842182.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.279205067.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: conhost.exePID: 6480, Parent PID: 6464

General

Target ID:	1
Start time:	19:43:26
Start date:	29/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: AppLaunch.exePID: 6860, Parent PID: 6464

General

Target ID:	5
Start time:	19:43:36
Start date:	29/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0x360000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.267821297.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: orxds.exePID: 6924, Parent PID: 6860

General

Target ID:	7
Start time:	19:43:37
Start date:	29/05/2022
Path:	C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
Imagebase:	0xdc0000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 2%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Analysis Process: WerFault.exePID: 6944, Parent PID: 6464

General

Target ID:	8
Start time:	19:43:37
Start date:	29/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 148
Imagebase:	0xc50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hBB2KnTndI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hBB2KnTndI.exe_ad2fc02f1e967b8af8cf5fed27f1f4916534b2_362a01e9_1b4c45b6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER325D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36B3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A6D.tmp.xml

C:\Users\user\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

Behavior

System Behavior

Windows Analysis Report
hBB2KnTndI.exe