Windows Analysis Report
4g33Ui2SbU.exe

Overview

General Information

Sample name: 4g33Ui2SbU.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 2505bb7f0ae912f92c186c92f763aa28b7b2f507a05cbb2de98bd21977fa52f1
Analysis ID: 1417425
MD5: 5b9c9f8f0ef5e8b1669e1ce9cfaf54fb
SHA1: 00f4b4c3472185fcadbc92dbadab4d4b085a01fc
SHA256: 2505bb7f0ae912f92c186c92f763aa28b7b2f507a05cbb2de98bd21977fa52f1
Infos:

Detection

FloodFix
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected FloodFix
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Creates a DirectInput object (often for capturing keystrokes)
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Searches for user specific document files
Tries to load missing DLLs
Uses 32bit PE files
Yara detected Keylogger Generic
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 4g33Ui2SbU.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.aieov.com/so.gif Avira URL Cloud: Label: malware
Source: http://www.aieov.com/logo.gif Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll Avira: detection malicious, Label: TR/Floxif.BB
Source: C:\Program Files (x86)\NrSyGjROmCGtDpASNOvpVSwVnPlUgzUfLYxPPmJFBrONbfprATItBzpUrFXZDdAMlnoN\vmbCeNlTlpLNTakTDlwwgEI.exe.tmp Avira: detection malicious, Label: W32/Floxif.iici
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp Avira: detection malicious, Label: W32/Infector.Gen4
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpOav.dll.tmp Avira: detection malicious, Label: W32/Infector.Gen4
Multi AV Scanner detection for domain / URL
Source: www.aieov.com Virustotal: Detection: 10% Perma Link
Source: 5isohu.com Virustotal: Detection: 9% Perma Link
Source: http://www.aieov.com/logo.gif Virustotal: Detection: 8% Perma Link
Source: http://www.aieov.com/so.gif Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll ReversingLabs: Detection: 94%
Source: C:\Program Files\Common Files\System\symsrv.dll Virustotal: Detection: 91% Perma Link
Machine Learning detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4g33Ui2SbU.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 4g33Ui2SbU.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: Binary string: tiptsf.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636329728.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639480308.0000000008771000.00000004.00000020.00020000.00000000.sdmp, tiptsf.dll.tmp.0.dr
Source: Binary string: DUI70.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635478992.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.appcore.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637845857.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Globalization.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638305774.000000000BC8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1629569194.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643520874.0000000008772000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639905594.000000000877A000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645697828.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1646266964.000000000877B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640339820.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630869792.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.Search.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638981040.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1640146206.000000000877F000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646813940.0000000008772000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1631263665.000000000B1EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1631755903.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640658265.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1643369000.000000000B782000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639787160.000000000BE84000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629409813.000000000B6E0000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645215937.000000000B786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vbscript.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641774533.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreMessaging.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635811192.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dcomp.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637481738.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxgi.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1633378519.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644465740.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DUI70.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635478992.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1631755903.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640658265.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634611130.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644847125.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: crypt32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634502011.000000000B1EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645799968.000000000B78B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629713698.000000000B1E3000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: propsys.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638488877.000000000877A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TextShaping.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636409870.000000000B234000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxs.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641630546.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wininet.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645799968.000000000B78B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629713698.000000000B1E3000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ExplorerFrame.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636743885.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1631122053.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1644788340.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646184493.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630209382.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpOAV.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1645110564.000000000BCED000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1641842507.000000000BC81000.00000004.00000020.00020000.00000000.sdmp, MpOav.dll.tmp.0.dr
Source: Binary string: Windows.Storage.Search.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638981040.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp110_win.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637155175.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1643369000.000000000B782000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639787160.000000000BE84000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629409813.000000000B6E0000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645215937.000000000B786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1634611130.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644847125.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreUIComponents.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635983134.000000000B3BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1640731794.000000000877D000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633560202.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1639516371.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1645903248.0000000008770000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639231522.000000000877C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iertutil.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DUser.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635614540.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1639063254.0000000008777000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1630284956.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644881556.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1633378519.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644465740.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tiptsf.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636329728.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639480308.0000000008771000.00000004.00000020.00020000.00000000.sdmp, tiptsf.dll.tmp.0.dr
Source: Binary string: TextShaping.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1636409870.000000000B234000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634169878.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640264917.000000000877E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645001376.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1646929488.000000000B785000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1631477558.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643957273.000000000B78E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640504717.000000000BE83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634924430.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: policymanager.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637091371.000000000B1EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1645903248.0000000008770000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639231522.000000000877C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1629569194.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643520874.0000000008772000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639905594.000000000877A000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645697828.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WinTypes.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636212543.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wininet.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WLDP.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.appcore.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637845857.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3d11.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637318041.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ActXPrxy.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1639560032.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreMessaging.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1635811192.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Globalization.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638305774.000000000BC8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StructuredQuery.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638627341.000000000877D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1632088423.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646754801.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1644914589.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1630284956.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644881556.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WindowsCodecs.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636924654.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dcomp.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637481738.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreUIComponents.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635983134.000000000B3BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vmbCeNlTlpLNTakTDlwwgEI.exe.tmp.0.dr
Source: Binary string: fastprox.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1643839713.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1642707773.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msftedit.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638101079.000000000BC8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1646929488.000000000B785000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1631477558.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643957273.000000000B78E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640504717.000000000BE83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wUxTheme.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634264121.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1639063254.0000000008777000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3d11.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637318041.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1646266964.000000000877B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640339820.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630869792.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: policymanager.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637091371.000000000B1EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DUser.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635614540.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1645989345.000000000B789000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640903912.000000000B783000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629924484.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644588022.000000000B78C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StructuredQuery.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638627341.000000000877D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641688668.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1635340333.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WindowsCodecs.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636924654.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1631122053.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1644788340.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646184493.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630209382.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1632088423.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646754801.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WLDP.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpOAV.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1645110564.000000000BCED000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1641842507.000000000BC81000.00000004.00000020.00020000.00000000.sdmp, MpOav.dll.tmp.0.dr
Source: Binary string: sechost.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1644505806.0000000004205000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633458410.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TextInputFramework.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635712221.000000000B1E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: propsys.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638488877.000000000877A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wUxTheme.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634264121.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ActXPrxy.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1639560032.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fastprox.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1643839713.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1642707773.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1640731794.000000000877D000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633560202.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641688668.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1635340333.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vbscript.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641774533.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TextInputFramework.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635712221.000000000B1E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634924430.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641914337.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ExplorerFrame.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636743885.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1644505806.0000000004205000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633458410.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1639516371.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1632448121.000000000B1E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641914337.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WinTypes.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636212543.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1644914589.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msftedit.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638101079.000000000BC8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634169878.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640264917.000000000877E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645001376.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxgi.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxs.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641630546.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1645989345.000000000B789000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640903912.000000000B783000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629924484.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644588022.000000000B78C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1632448121.000000000B1E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: masteredhelpJOLIETUDFvolumelabeludfItemPosItemOrder%s (%d).%s$Windows.~BT\Windows\.appxWindows.old\.appxpackage.appxbundle.cat.automaticdestinations-msData\Program Files\Data\ProgramData\Data\Program Files (x86)\Program Files\Data\Windows\ProgramData\Program Files (x86)\.fon.etl.mp.jar.msi.mpb.msm.msip.cer.cdxml.customdestinations-ms.cookie.dmp.der.efi.dsft.p12.p10.p7c.p7b.p7r.p7m.p7x.p7s.msu.msp.nst.mui.olb.ocx.otf.ost.sft.rll.spkg.spc.sys.sst.vbs.ttc.pdb.partial.pfm.pem.ps1xml.pfx.psf.psc1WININET.xap.vmrs.vmcx.vsix.vsi.wim.wfs.wsf.winmd\shellIfExecTopicft%06dNeverShowExtBrowserFlagsL source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iertutil.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: crypt32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634502011.000000000B1EF000.00000004.00000020.00020000.00000000.sdmp

Spreading
barindex
Yara detected FloodFix
Source: Yara match File source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Renamed to system file: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23080.2006-0\X86\MpOav.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Renamed to system file: C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2820270 ETPRO TROJAN Win32.Floxif.A Checkin 192.168.2.4:49731 -> 45.56.79.23:80
Source: Traffic Snort IDS: 2820270 ETPRO TROJAN Win32.Floxif.A Checkin 192.168.2.4:49732 -> 45.56.79.23:80
Source: Traffic Snort IDS: 2820270 ETPRO TROJAN Win32.Floxif.A Checkin 192.168.2.4:49733 -> 45.56.79.23:80
Source: Traffic Snort IDS: 2820270 ETPRO TROJAN Win32.Floxif.A Checkin 192.168.2.4:49735 -> 45.56.79.23:80
Source: Traffic Snort IDS: 2820270 ETPRO TROJAN Win32.Floxif.A Checkin 192.168.2.4:49741 -> 45.56.79.23:80
Source: Traffic Snort IDS: 2820270 ETPRO TROJAN Win32.Floxif.A Checkin 192.168.2.4:49742 -> 45.56.79.23:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /so.gif HTTP/1.1Accept: */*Host: www.aieov.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.56.79.23 45.56.79.23
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /logo.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: global traffic HTTP traffic detected: GET /so.gif HTTP/1.1Accept: */*Host: www.aieov.com
Source: unknown DNS traffic detected: queries for: 5isohu.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Fri, 29 Mar 2024 08:11:46 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Fri, 29 Mar 2024 08:11:51 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Fri, 29 Mar 2024 08:11:56 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Fri, 29 Mar 2024 08:12:01 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Fri, 29 Mar 2024 08:12:06 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Fri, 29 Mar 2024 08:12:11 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Fri, 29 Mar 2024 08:12:13 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1DataSourceCLSIDShortNameSupportsAdvancedQuerySyntax
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://appmap.trafficmanager.net/api/v1/parse?url=
Source: 4g33Ui2SbU.exe String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: 4g33Ui2SbU.exe String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: 4g33Ui2SbU.exe String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634502011.000000000B1EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlAUTHROOTSTL1.2.840.1
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://http://www.file:///https://StartPinWindows.Internal.Storage.ItemCommandStartUnpinA
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634924430.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://https:///WopiFrame.aspx?application/onecoreuap
Source: 4g33Ui2SbU.exe String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: 4g33Ui2SbU.exe String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: 4g33Ui2SbU.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://test.com
Source: 4g33Ui2SbU.exe String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: 4g33Ui2SbU.exe String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645110564.000000000BCED000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1641842507.000000000BC81000.00000004.00000020.00020000.00000000.sdmp, MpOav.dll.tmp.0.dr String found in binary or memory: http://www.validationtest.contoso.com/test%ld.htmlMpOAV_ForceDeepScan
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634502011.000000000B1EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s/%s/%sendcahttps://%s.pinrules.crt/%sRetrieveValidatestaple:OcspGetOcspPostOcspFailoverExp
Source: 4g33Ui2SbU.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: 4g33Ui2SbU.exe String found in binary or memory: https://www.globalsign.com/repository/03
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.modern.ie/Umbraco/Api/CompatIssueApi/PostCompatIssue
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.modern.ie/Umbraco/Api/CompatIssueApi/PostCompatIssue?version=2
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.modern.ie/umbraco/api/readingviewissues/postreadingviewissue
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.cn/spartan/ientp?locale%3D%25s%26market%3D%25s%26enableregulatorypsm%3D%25d%26enable
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/spartan/ientp?locale%3D%25s%26market%3D%25s%26enableregulatorypsm%3D%25d%26enabl
Creates a DirectInput object (often for capturing keystrokes)
Source: 4g33Ui2SbU.exe, 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_8d24c809-2
Installs a raw input device (often for capturing keystrokes)
Source: 4g33Ui2SbU.exe, 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_f3d47297-f
Yara detected Keylogger Generic
Source: Yara match File source: 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1645799968.000000000B78B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1629713698.000000000B1E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4g33Ui2SbU.exe PID: 7256, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4g33Ui2SbU.exe, type: SAMPLE Matched rule: Malware - Floxif Author: Florian Roth
Source: 0.0.4g33Ui2SbU.exe.a10000.0.unpack, type: UNPACKEDPE Matched rule: Malware - Floxif Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: Detects Floxif Malware Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: Detects FloodFix Author: ditekSHen
Source: C:\Program Files (x86)\NrSyGjROmCGtDpASNOvpVSwVnPlUgzUfLYxPPmJFBrONbfprATItBzpUrFXZDdAMlnoN\vmbCeNlTlpLNTakTDlwwgEI.exe.tmp, type: DROPPED Matched rule: Malware - Floxif Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpOav.dll.tmp, type: DROPPED Matched rule: Malware - Floxif Author: Florian Roth
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp, type: DROPPED Matched rule: Malware - Floxif Author: Florian Roth
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process Stats: CPU usage > 49%
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\Common Files\System\symsrv.dll DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
Sample file is different than original file name gathered from version info
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641914337.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel.appcore.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1631755903.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerpcrt4.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1643839713.0000000008771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefastprox.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634264121.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUxTheme.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639787160.000000000BFA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634611130.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCLBCATQ.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640658265.0000000008771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerpcrt4.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1636212543.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinTypes.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633006197.000000000B71F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHELL32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1632088423.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHCORE.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644971664.0000000001D49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLINKINFO.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1635478992.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDUI70.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1635712221.000000000B1E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename"TextInputFramework.DYNLINK"j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1636743885.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameExplorerFrame.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634169878.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOLEAUT32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640731794.000000000877D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOLE32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640264917.000000000877E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOLEAUT32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639516371.000000000BC81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenametwinapi.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1629569194.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1631122053.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecomdlg32.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1630284956.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp_win.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645989345.000000000B789000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645903248.0000000008770000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\AcGenral.dllAcLayers.dllAcRes.dllAcSpecfc.dllAcWinRT.dllacwow64.dllAcXtrnal.dllKeyboardFilterShim.dllMasterShim.dlldepdetctuacdetctluadgmgt.dllluapriv.dllEMET.dllEMET64.dllLogExts.dllLogShim.dllInstallerDetectionSetupLayer.exeDXGUseWarpRenderingEntry.exeContainer32bitCompatModeEntry.exeNTDLL.DLLVERIFIER.DLLPRINTERRORMARKTRACESIZESIZE_OF_IMAGECHECKSUMBIN_FILE_VERSIONBIN_PRODUCT_VERSIONPRODUCT_VERSIONFILE_DESCRIPTIONCOMPANY_NAMEPRODUCT_NAMEFILE_VERSIONORIGINAL_FILENAMEINTERNAL_NAMELEGAL_COPYRIGHTVERDATEHIVERDATELOVERFILEOSVERFILETYPEMODULE_TYPEPE_CHECKSUMLINKER_VERSION16BIT_DESCRIPTION16BIT_MODULE_NAMELINK_DATEEXPORT_NAMEVER_LANGUAGEEXE_WRAPPERCRC_CHECKSUMFILESIZE vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645903248.0000000008770000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameApphelpj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1631263665.000000000B29E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcrt.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642707773.0000000008779000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefastprox.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1636329728.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTipTsf.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OpenGLBehaviorOpenCLBehaviorVersionInfoFileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright@@ vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedxgi.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640903912.000000000B783000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637845857.000000000BC87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenametwinapi.appcore.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1635811192.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCoreMessaging.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637318041.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameD3D11.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vProductNameProductVersionInternalNameOriginalFileNameCompanyNamePlatformLegalCopyrightLegalTrademarks vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1632448121.000000000B1E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecomctl32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1643520874.0000000008804000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vProductNameProductVersionInternalNameOriginalFileNameCompanyNamePlatformLegalCopyrightLegalTrademarks vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644505806.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesechost.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: onecore\base\ngscb\wldp\dll\hostlockdown.cpp\StringFileInfo\12341234\OriginalFilename\VarFileInfo\Translation\StringFileInfo\%04X%04X\OriginalFilename\StringFileInfo\%04X%04X\InternalName*RUNDLL32SVCHOSTSvchostPushServiceGlobalsSvchostPushServiceGlobalsExServiceMainwuaueng.dllWUServiceMaingpsvc.dllGroupPolicyClientServiceMainngcsvc.dllNgcServiceMainScDeviceEnum.dllScDeviceEnumServiceMainNETSETUPSVC.dllNetSetupServiceMainBFE.DLLBfeServiceMaincryptsvc.dllCryptServiceMainicsvc.dllHeartbeatServiceMainKvpexchangeServiceMainShutdownServiceMainTimesyncServiceMainicsvcext.dllRdvServiceMainVssServiceMainIKEEXT.DLLIkeServiceMainipsecsvc.dllSpdServiceMainPeerDistSvc.dllSVCServiceMainProfSvc.dllUserProfileServiceMainSECLOGON.EXESvcEntry_SeclogonSHSVCS.DLLHardwareDetectionServiceMainsysmain.dllSysMtServiceMainTHEMESERVICE.DLLthemeservicemainUmpnpmgr.DLLPlugPlayServiceMainUmpo.DLLumpomainw32time.dllSvchostEntry_W32Timewcmsvc.dllWcmSvcMainwinhttp.dllWinHttpAutoProxySvcMaincertprop.dllcertpropservicemainwlansvc.dllwlansvcmainscardsvr.execalaismainncdautosetup.dllsvchostmaincscsvc.dllcscservicemainwcncsvc.dllwcnservicemainprovsvc.dllproviderservicemaindot3svc.dlldot3svcmainpnrpsvc.dllsvcservicemainimservicemainStorageUsage.dllGetStorageUsageInfoacmigration.dllApplyMigrationShimsacproxy.DLLPerformAutochkOperationsppioobe.dllsetupcalendaraccountforuseredgehtml.dll#125#133davclnt.dlldavsetcookieappxdeploymentextensions.onecore.dllshellrefreshpla.dllplahostaeinv.dllupdatesoftwareinventoryshell32.dllcontrol_rundllshcreatelocalserverrundllstartupscan.dllsusruntaskappxdeploymentclient.dllappxprestagecleanupruntaskuxtheme.dll#64generaltel.dllrungeneraltelemetryruninusercxtpfsvwsswapassessmenttaskshsetup.dllshunattendedsetupmonext.dllstartwindows.storage.applicationdata.dllcleanuptemporarystatewininetplugin.dllmigratecacheforuserdfdts.dlldfdgetdefaultpolicyandsmartdfshim.dllShopenverbshortcutshopenverbapplicationsharpmaintaincoin.dllrunsoftwareinstallnvi2.dlldeferreddeletereseteng.dllrjvcreatesuccesstaskentrypointsetupapi.dllinstallhinfsectionpolicyagentprovider.dllsetup_checknamespacesdisplay.dllshowadaptersettingspolicyagentendpoint.dllsetup_initializepolicynvprxy.dllproxywerconcpl.dlllaunchercappwebconfigca.dllzzzzinvokemanagedcustomactionoutofprocrechelper.dll_rhpid698rheng2@16aiod.dllcreatereaderusersettingsslmsprbootstrap.dllsetupplayreadydatafirewallcontrolpanel.dllshownotificationdialogReportDEPlatformIsHSTIVerifiedReportDEPlatformHstiSecureThunderboltBit%SystemDrive%\DPP\WatermarkHSTITestComplete.bin%SystemDrive%\DPP\WatermarkSBTestComplete.binTEST FAIL: BCD: Foud banned Element type 0x%08lx at OS Loader vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewldp.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebcryptprimitives.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639480308.0000000008771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTipTsf.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645001376.0000000008772000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOLEAUT32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644788340.0000000008771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegdi32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641945678.0000000001D4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLINKINFO.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1646266964.000000000877B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1636924654.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindowsCodecsj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638101079.000000000BC8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsftEdit.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633378519.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameadvapi32.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644914589.000000000BC81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamebcryptprimitives.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637091371.000000000B1EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePolicyManager.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634502011.000000000B1EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644914589.000000000BCE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewbemcomn.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645799968.000000000B78B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1643520874.0000000008772000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638488877.000000000877A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepropsys.dll@ vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1631477558.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMBASE.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1629713698.000000000B1E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1646184493.0000000008776000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegdi32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640339820.0000000008776000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633560202.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOLE32.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644847125.000000000BCED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCLBCATQ.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1630869792.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1643957273.000000000B78E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMBASE.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1629924484.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638627341.000000000877D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStructuredQuery.dll@ vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639905594.000000000877A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639560032.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameActXPrxy.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639560032.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentshrui.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641688668.0000000008776000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMSCTF.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644956904.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewbemprox.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644956904.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel.appcore.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644956904.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNCObjAPI.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1635340333.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMSCTF.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644588022.000000000B78C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639063254.0000000008777000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindows.StateRepositoryPS.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644881556.0000000004205000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp_win.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637481738.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedcomp.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639231522.000000000877C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\AcGenral.dllAcLayers.dllAcRes.dllAcSpecfc.dllAcWinRT.dllacwow64.dllAcXtrnal.dllKeyboardFilterShim.dllMasterShim.dlldepdetctuacdetctluadgmgt.dllluapriv.dllEMET.dllEMET64.dllLogExts.dllLogShim.dllInstallerDetectionSetupLayer.exeDXGUseWarpRenderingEntry.exeContainer32bitCompatModeEntry.exeNTDLL.DLLVERIFIER.DLLPRINTERRORMARKTRACESIZESIZE_OF_IMAGECHECKSUMBIN_FILE_VERSIONBIN_PRODUCT_VERSIONPRODUCT_VERSIONFILE_DESCRIPTIONCOMPANY_NAMEPRODUCT_NAMEFILE_VERSIONORIGINAL_FILENAMEINTERNAL_NAMELEGAL_COPYRIGHTVERDATEHIVERDATELOVERFILEOSVERFILETYPEMODULE_TYPEPE_CHECKSUMLINKER_VERSION16BIT_DESCRIPTION16BIT_MODULE_NAMELINK_DATEEXPORT_NAMEVER_LANGUAGEEXE_WRAPPERCRC_CHECKSUMFILESIZE vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639231522.000000000877C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameApphelpj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640504717.000000000BE83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMBASE.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000000.1616015323.0000000000AD8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645110564.000000000BCED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpOAV.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634924430.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindows.Storage.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1630209382.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegdi32j% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1646754801.0000000008773000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHCORE.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIeRtUtil.dllD vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1639600658.0000000001D49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLINKINFO.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641774533.0000000008773000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevbscript.dllJ vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641630546.0000000008779000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSXS.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1635614540.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDUser.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645697828.0000000008771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637155175.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp110_win.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638981040.0000000008772000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindows.Storage.Search.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1633458410.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesechost.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1635983134.000000000B3BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCoreUIComponents.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1644465740.000000000BCED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameadvapi32.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638305774.000000000BC8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWindows.Globalization.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641842507.000000000BC81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpOAV.dllj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe, 00000000.00000003.1641842507.000000000BC81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCLBCATQ.DLLj% vs 4g33Ui2SbU.exe
Source: 4g33Ui2SbU.exe Binary or memory string: OriginalFilenameAutoIt3.exeB vs 4g33Ui2SbU.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: assignedaccessruntime.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: windows.storage.search.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Section loaded: fwpuclnt.dll Jump to behavior
Uses 32bit PE files
Source: 4g33Ui2SbU.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 4g33Ui2SbU.exe, type: SAMPLE Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.4g33Ui2SbU.exe.a10000.0.unpack, type: UNPACKEDPE Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: C:\Program Files (x86)\NrSyGjROmCGtDpASNOvpVSwVnPlUgzUfLYxPPmJFBrONbfprATItBzpUrFXZDdAMlnoN\vmbCeNlTlpLNTakTDlwwgEI.exe.tmp, type: DROPPED Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpOav.dll.tmp, type: DROPPED Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp, type: DROPPED Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ori.nznet.nzorg.nzparliament.nzschool.nzco.omcom.omedu.omgov.ommed.ommuseum.omnet.omorg.ompro.omac.pagob.pacom.paorg.pasld.paedu.panet.paing.paabo.pamed.panom.paedu.pegob.penom.pemil.peorg.pecom.penet.pecom.pforg.pfedu.pfcom.phnet.phorg.phgov.phedu.phngo.phmil.phi.phcom.pknet.pkedu.pkorg.pkfam.pkbiz.pkweb.pkgov.pkgob.pkgok.pkgon.pkgop.pkgos.pkinfo.pkcom.plnet.plorg.plaid.plagro.platm.plauto.plbiz.pledu.plgmina.plgsm.plinfo.plmail.plmiasta.plmedia.plmil.plnieruchomosci.plnom.plpc.plpowiat.plpriv.plrealestate.plrel.plsex.plshop.plsklep.plsos.plszkola.pltargi.pltm.pltourism.pltravel.plturystyka.plgov.plap.gov.plic.gov.plis.gov.plus.gov.plkmpsp.gov.plkppsp.gov.plkwpsp.gov.plpsp.gov.plwskr.gov.plkwp.gov.plmw.gov.plug.gov.plum.gov.plumig.gov.plugim.gov.plupow.gov.pluw.gov.plstarostwo.gov.plpa.gov.plpo.gov.plpsse.gov.plpup.gov.plrzgw.gov.plsa.gov.plso.gov.plsr.gov.plwsa.gov.plsko.gov.pluzs.gov.plwiih.gov.plwinb.gov.plpinb.gov.plwios.gov.plwitd.gov.plwzmiuw.gov.plpiw.gov.plwiw.gov.plgriw.gov.plwif.gov.ploum.gov.plsdn.gov.plzp.gov.pluppo.gov.plmup.gov.plwuoz.gov.plkonsulat.gov.ploirm.gov.plaugustow.plbabia-gora.plbedzin.plbeskidy.plbialowieza.plbialystok.plbielawa.plbieszczady.plboleslawiec.plbydgoszcz.plbytom.plcieszyn.plczeladz.plczest.pldlugoleka.plelblag.plelk.plglogow.plgniezno.plgorlice.plgrajewo.plilawa.pljaworzno.pljelenia-gora.pljgora.plkalisz.plkazimierz-dolny.plkarpacz.plkartuzy.plkaszuby.plkatowice.plkepno.plketrzyn.plklodzko.plkobierzyce.plkolobrzeg.plkonin.plkonskowola.plkutno.pllapy.pllebork.pllegnica.pllezajsk.pllimanowa.pllomza.pllowicz.pllubin.pllukow.plmalbork.plmalopolska.plmazowsze.plmazury.plmielec.plmielno.plmragowo.plnaklo.plnowaruda.plnysa.plolawa.plolecko.plolkusz.plolsztyn.plopoczno.plopole.plostroda.plostroleka.plostrowiec.plostrowwlkp.plpila.plpisz.plpodhale.plpodlasie.plpolkowice.plpomorze.plpomorskie.plprochowice.plpruszkow.plprzeworsk.plpulawy.plradom.plrawa-maz.plrybnik.plrzeszow.plsanok.plsejny.plslask.plslupsk.plsosnowiec.plstalowa-wola.plskoczow.plstarachowice.plstargard.plsuwalki.plswidnica.plswiebodzin.plswinoujscie.plszczecin.plszczytno.pltarnobrzeg.pltgory.plturek.pltychy.plustka.plwalbrzych.plwarmia.plwarszawa.plwaw.plwegrow.plwielun.plwlocl.plwloclawek.plwodzislaw.plwolomin.plwroclaw.plzachpomor.plzagan.plzarow.plzgora.plzgorzelec.plgov.pnco.pnorg.pnedu.pnnet.pncom.prnet.prorg.prgov.predu.prisla.prpro.prbiz.prinfo.prname.prest.prprof.prac.praaa.proaca.proacct.proavocat.probar.procpa.proeng.projur.prolaw.promed.prorecht.proedu.psgov.pssec.psplo.pscom.psorg.psnet.psnet.ptgov.ptorg.ptedu.ptint.ptpubl.ptcom.ptnome.ptco.pwne.pwor.pwed.pwgo.pwbelau.pwcom.pycoop.pyedu.pygov.pymil.pynet.pyorg.pycom.qaedu.qagov.qamil.qaname.qanet.qaorg.qasch.qaasso.recom.renom.rearts.rocom.rofirm.roinfo.ronom.ront.roorg.rorec.rostore.rotm.rowww.roac.rsco.rsedu.rsgov.rsin.rsorg.rsac.ruedu.rugov.ruint.rumil.rutest.rugov.rwnet.rwedu.rwac.rwcom.rwco.rwint.rwmil.rwgouv.rwcom.sanet.saorg.sagov.samed.sapub.saedu.sasch.sacom.sbedu.sbgov.sbnet.sbor
Source: classification engine Classification label: mal100.spre.troj.winEXE@1/9@6/1
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\Users\user\AppData\Local\Temp\update.exe Jump to behavior
Source: 4g33Ui2SbU.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File read: C:\Users\user\Desktop\4g33Ui2SbU.exe Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{725F645B-EAED-4fc5-B1C5-D9AD0ACCBA5E}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File opened: C:\Windows\SysWOW64\MsftEdit.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Window detected: Number of UI elements: 13
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory created: c:\program files\common files\system\symsrv.dll.000 Jump to behavior
Source: 4g33Ui2SbU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: tiptsf.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636329728.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639480308.0000000008771000.00000004.00000020.00020000.00000000.sdmp, tiptsf.dll.tmp.0.dr
Source: Binary string: DUI70.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635478992.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.appcore.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637845857.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Globalization.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638305774.000000000BC8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1629569194.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643520874.0000000008772000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639905594.000000000877A000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645697828.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1646266964.000000000877B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640339820.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630869792.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.Search.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638981040.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1640146206.000000000877F000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646813940.0000000008772000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1631263665.000000000B1EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1631755903.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640658265.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1643369000.000000000B782000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639787160.000000000BE84000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629409813.000000000B6E0000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645215937.000000000B786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vbscript.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641774533.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreMessaging.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635811192.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dcomp.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637481738.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxgi.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1633378519.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644465740.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DUI70.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635478992.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wrpcrt4.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1631755903.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640658265.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634611130.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644847125.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: crypt32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634502011.000000000B1EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645799968.000000000B78B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629713698.000000000B1E3000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: propsys.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638488877.000000000877A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TextShaping.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636409870.000000000B234000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxs.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641630546.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wininet.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1643629193.000000000B786000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645799968.000000000B78B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629713698.000000000B1E3000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ExplorerFrame.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636743885.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1631122053.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1644788340.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646184493.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630209382.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpOAV.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1645110564.000000000BCED000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1641842507.000000000BC81000.00000004.00000020.00020000.00000000.sdmp, MpOav.dll.tmp.0.dr
Source: Binary string: Windows.Storage.Search.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638981040.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp110_win.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637155175.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1643369000.000000000B782000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639787160.000000000BE84000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629409813.000000000B6E0000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645215937.000000000B786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1634611130.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644847125.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreUIComponents.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635983134.000000000B3BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1640731794.000000000877D000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633560202.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1639516371.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1645903248.0000000008770000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639231522.000000000877C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iertutil.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DUser.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635614540.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1639063254.0000000008777000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1630284956.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644881556.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: advapi32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1633378519.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644465740.000000000BCED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tiptsf.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636329728.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639480308.0000000008771000.00000004.00000020.00020000.00000000.sdmp, tiptsf.dll.tmp.0.dr
Source: Binary string: TextShaping.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1636409870.000000000B234000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634169878.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640264917.000000000877E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645001376.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1646929488.000000000B785000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1631477558.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643957273.000000000B78E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640504717.000000000BE83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634924430.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: policymanager.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637091371.000000000B1EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: apphelp.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1645903248.0000000008770000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639231522.000000000877C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1629569194.000000000B1E5000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643520874.0000000008772000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1639905594.000000000877A000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645697828.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WinTypes.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636212543.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wininet.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1633866451.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WLDP.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.appcore.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637845857.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3d11.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637318041.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ActXPrxy.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1639560032.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreMessaging.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1635811192.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Globalization.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638305774.000000000BC8F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StructuredQuery.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638627341.000000000877D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1632088423.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646754801.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1644914589.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1630284956.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644881556.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WindowsCodecs.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636924654.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dcomp.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1637481738.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CoreUIComponents.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635983134.000000000B3BF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vmbCeNlTlpLNTakTDlwwgEI.exe.tmp.0.dr
Source: Binary string: fastprox.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1643839713.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1642707773.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msftedit.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638101079.000000000BC8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1646929488.000000000B785000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1631477558.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1643957273.000000000B78E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640504717.000000000BE83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wUxTheme.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634264121.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1639063254.0000000008777000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d3d11.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637318041.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1646266964.000000000877B000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640339820.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630869792.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: policymanager.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637091371.000000000B1EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DUser.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635614540.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1645989345.000000000B789000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640903912.000000000B783000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629924484.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644588022.000000000B78C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shell32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StructuredQuery.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638627341.000000000877D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641688668.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1635340333.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WindowsCodecs.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1636924654.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comdlg32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1631122053.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wgdi32full.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1644788340.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646184493.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1630209382.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1632088423.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646754801.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WLDP.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641879260.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpOAV.pdbGCTL source: 4g33Ui2SbU.exe, 00000000.00000003.1645110564.000000000BCED000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1641842507.000000000BC81000.00000004.00000020.00020000.00000000.sdmp, MpOav.dll.tmp.0.dr
Source: Binary string: sechost.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1644505806.0000000004205000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633458410.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TextInputFramework.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1635712221.000000000B1E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: propsys.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638488877.000000000877A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wUxTheme.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634264121.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ActXPrxy.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1639560032.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fastprox.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1643839713.0000000008771000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1642707773.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ole32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1640731794.000000000877D000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633560202.000000000B1E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641688668.0000000008776000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1635340333.000000000B1E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vbscript.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641774533.0000000008773000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TextInputFramework.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1635712221.000000000B1E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Windows.Storage.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1634924430.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641914337.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ExplorerFrame.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636743885.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1644505806.0000000004205000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1633458410.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinapi.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1639516371.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1632448121.000000000B1E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Kernel.Appcore.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1641914337.00000000041F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WinTypes.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1636212543.000000000B1ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1644914589.000000000BC81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msftedit.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1638101079.000000000BC8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634169878.000000000B1E4000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640264917.000000000877E000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1645001376.0000000008772000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxgi.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxs.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1641630546.0000000008779000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1645989345.000000000B789000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640903912.000000000B783000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629924484.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1644588022.000000000B78C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: comctl32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1632448121.000000000B1E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: masteredhelpJOLIETUDFvolumelabeludfItemPosItemOrder%s (%d).%s$Windows.~BT\Windows\.appxWindows.old\.appxpackage.appxbundle.cat.automaticdestinations-msData\Program Files\Data\ProgramData\Data\Program Files (x86)\Program Files\Data\Windows\ProgramData\Program Files (x86)\.fon.etl.mp.jar.msi.mpb.msm.msip.cer.cdxml.customdestinations-ms.cookie.dmp.der.efi.dsft.p12.p10.p7c.p7b.p7r.p7m.p7x.p7s.msu.msp.nst.mui.olb.ocx.otf.ost.sft.rll.spkg.spc.sys.sst.vbs.ttc.pdb.partial.pfm.pem.ps1xml.pfx.psf.psc1WININET.xap.vmrs.vmcx.vsix.vsi.wim.wfs.wsf.winmd\shellIfExecTopicft%06dNeverShowExtBrowserFlagsL source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: iertutil.pdbUGP source: 4g33Ui2SbU.exe, 00000000.00000003.1638785978.000000000BC87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: crypt32.pdb source: 4g33Ui2SbU.exe, 00000000.00000003.1634502011.000000000B1EF000.00000004.00000020.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: tiptsf.dll.tmp.0.dr Static PE information: 0x832DD3EB [Wed Sep 28 10:31:07 2039 UTC]
PE file contains an invalid checksum
Source: MpOav.dll.tmp.0.dr Static PE information: real checksum: 0x6c5a9 should be: 0x7fa2b
Source: tiptsf.dll.tmp.0.dr Static PE information: real checksum: 0x8ce5f should be: 0xa344f
Source: symsrv.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x1f436
Source: 4g33Ui2SbU.exe Static PE information: real checksum: 0xebe77 should be: 0x105827
Source: vmbCeNlTlpLNTakTDlwwgEI.exe.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x39e4f
PE file contains sections with non-standard names
Source: tiptsf.dll.tmp.0.dr Static PE information: section name: .didat
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Renamed to system file: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23080.2006-0\X86\MpOav.dll Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Renamed to system file: C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23080.2006-0\X86\MpOav.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\Program Files\Common Files\System\symsrv.dll Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\Program Files (x86)\NrSyGjROmCGtDpASNOvpVSwVnPlUgzUfLYxPPmJFBrONbfprATItBzpUrFXZDdAMlnoN\vmbCeNlTlpLNTakTDlwwgEI.exe.tmp Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\Program Files (x86)\NrSyGjROmCGtDpASNOvpVSwVnPlUgzUfLYxPPmJFBrONbfprATItBzpUrFXZDdAMlnoN\vmbCeNlTlpLNTakTDlwwgEI.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpOav.dll.tmp Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23080.2006-0\X86\MpOav.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpOav.dll.tmp Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Window / User API: threadDelayed 1308 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Window / User API: threadDelayed 7086 Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Window / User API: foregroundWindowGot 1058 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23080.2006-0\X86\MpOav.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Dropped PE file which has not been started: C:\Program Files\Common Files\System\symsrv.dll Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Dropped PE file which has not been started: C:\Program Files (x86)\NrSyGjROmCGtDpASNOvpVSwVnPlUgzUfLYxPPmJFBrONbfprATItBzpUrFXZDdAMlnoN\vmbCeNlTlpLNTakTDlwwgEI.exe.tmp Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Dropped PE file which has not been started: C:\Program Files (x86)\NrSyGjROmCGtDpASNOvpVSwVnPlUgzUfLYxPPmJFBrONbfprATItBzpUrFXZDdAMlnoN\vmbCeNlTlpLNTakTDlwwgEI.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpOav.dll.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe TID: 7276 Thread sleep time: -1308000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe TID: 7272 Thread sleep time: -1650000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe TID: 7276 Thread sleep time: -7086000s >= -30000s Jump to behavior
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: 4g33Ui2SbU.exe, 00000000.00000003.1640014118.000000000BE82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Process token adjusted: Debug Jump to behavior
Source: 4g33Ui2SbU.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: )D3D9_IdHot_Ctrl_SnapDesktopAppOnHMDEnumAdapters failed.App window cloakedLock screen activeShell_TrayWndShell_SecondaryTrayWndSnapped DesktopOccluder wnd ('Code' is HWND):%sDXGIWatchdogThreadWindowBindCompositionSurfaceFailed to determine if ownership is still takenFailed to reacquire emulated ownershipLeaving fullscreen due to loss of ownership.Leaving fullscreen due to monitor power state.Hybrid FS present: iGPU removed, removing dGPUHybrid FS transition: iGPU removed, removing dGPUIndirect FS transition: indirect adapter removed, removing render adapterminuser.dllGetClientRectFailed to take indirect display ownership.
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645989345.000000000B789000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640903912.000000000B783000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629924484.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: 4g33Ui2SbU.exe, 00000000.00000003.1637688352.000000000B1EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanShellExecuteExWrundll
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndm
Source: 4g33Ui2SbU.exe, 00000000.00000003.1636743885.000000000B1EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \kernelbase.dllRaiseFailFastExceptionRtlNtStatusToDosErrorNoTebShell_TrayWndpicturemusicvideomoviedocumentSoftware\Microsoft\Windows\CurrentVersion\Explorer\Search\PrimaryProperties\UnindexedLocationsSearchOnlySoftware\Microsoft\Windows\CurrentVersion\Explorer\Search\PreferencesAutoWildCardEnableNaturalQuerySyntaxWholeFileSystemSystemFoldersArchivedFiles
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634264121.00000000041F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DWMWINDOWDWMTOUCHDllNameThemeActiveLoadedBeforeLastUserLangIDLastLoadedDPILastLoadedDPIPlateausLastLoadedPPIColorNameSizeNameSoftware\Microsoft\Windows\CurrentVersion\Policies\System SetVisualStyle\rundll32.exeThemeDebuggeesshakeShell_TrayWndTEXTGLOW%s::%s%s\*.*..%s\%s\%s.msstylesLMVersionLMOverRide
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: animationTileContentsSrcanimationTileContentsDstanimationTileContentsSrcInneranimationTileContentsDstInnerVerticalScrollBaranimationProgressSrcanimationProgressSrcInneranimationProgressDstanimationProgressDstInnereltInterruptPaneeltRegularTileHeaderidOperationTileeltProgressBareltItemIconeltItemNameeltInterruptElevateBtneltInterruptButtonsContainereltInterruptYesBtneltInterruptOKBtneltInterruptNoBtnConfirmationCheckBoxDoForAlleltInterruptDeleteBtneltInterruptSkipBtneltInterruptCancelBtneltInterruptRetryBtnidTileActionidOperationInterruptidTileSubTextIdTileDecideForEachidItemTileIdTileIgnoreKeepSourceTileIconSkipTileIconDecideForEachTileIconIdTileKeepSourceIdTileKeepDestIdTileKeepAsWorkIdTileKeepAsPersonalCustomCommandIconidTileIcon%0.2fCHARTVIEWidConflictInterrupteltInterruptTileHeadereltPauseButtoneltItemsRemainingeltLocationseltConfirmationInterrupteltRateCharteltTimeRemainingeltTile%ueltTileContentseltDetailseltProgressBarContainereltDividereltScrollBarFillereltConflictInterrupteltCancelButtoneltRegularTileeltScrollEnthusiastModeidTileHosteltDisplayModeBtneltDisplayModeBtnFocusHolderWindows.SystemToast.ExplorereltFooterAreaprogman-
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ConfirmCabinetIDViewFolderExploreFolderShellFileFindFolderOpenFindFileReplaceItemReloadDeleteGroupDeleteItemAddItemExitProgmanCreateGroupShowGroupNewLinkNewFolderNewLink[RN
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DDEMLMomDMGFrameExplorersetupPmFrameGetIconGetDescriptionInstallMake Program Manager GroupGroupsSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsGetWorkingDirStartUpccInsDDEDDEClientddeClassSenderCA_DDECLASSMedia Recorder#32770BACKSCAPEMediaRecorderBWWFrameDDEClientWndClassgroups
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FoldersAppPropertiesShell*ProgmanProgmanPROGMAN
Source: 4g33Ui2SbU.exe, 00000000.00000003.1632088423.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646754801.0000000008773000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8WorkerWShell_TrayWnd
Source: 4g33Ui2SbU.exe, 00000000.00000003.1645989345.000000000B789000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1640903912.000000000B783000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1629924484.000000000B1E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Source: 4g33Ui2SbU.exe, 00000000.00000003.1642244396.000000000BE83000.00000004.00000020.00020000.00000000.sdmp, 4g33Ui2SbU.exe, 00000000.00000003.1646467039.000000000BE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Qishell\shell32\copyfgd.cppAlwaysShowExtshell\shell32\netfldrcb.cppSetDesktopWorkAreasshell\shell32\unicpp\desktop.cpppszDesktopTitleWProgram ManagerPersistBrowsers
Source: 4g33Ui2SbU.exe, 00000000.00000003.1634924430.000000000B1E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: RunAsRunAsNetLinkTimeout::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Software\Microsoft\Tracking\TimeOutopenShell_TrayWndTargetundelete
Searches for user specific document files
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\4g33Ui2SbU.exe Directory queried: C:\Users\user\Documents Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417425 Sample: 4g33Ui2SbU Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 19 www.aieov.com 2->19 21 5isohu.com 2->21 25 Snort IDS alert for network traffic 2->25 27 Multi AV Scanner detection for domain / URL 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 7 other signatures 2->31 6 4g33Ui2SbU.exe 2 32 2->6         started        signatures3 process4 dnsIp5 23 www.aieov.com 45.56.79.23, 49731, 49732, 49733 LINODE-APLinodeLLCUS United States 6->23 11 C:\ProgramData\Microsoft\...\MpOav.dll (copy), PE32 6->11 dropped 13 C:\ProgramData\Microsoft\...\MpOav.dll.tmp, PE32 6->13 dropped 15 C:\Program Files\Common Files\...\symsrv.dll, PE32 6->15 dropped 17 4 other malicious files 6->17 dropped 33 Infects executable files (exe, dll, sys, html) 6->33 file6 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.56.79.23
 www.aieov.com United States
63949 LINODE-APLinodeLLCUS true

Contacted Domains

Name IP Active
www.aieov.com 45.56.79.23 true
5isohu.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.aieov.com/so.gif true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://www.aieov.com/logo.gif true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown