Edit tour

Windows Analysis Report
lQV0SgKoqe.exe

Overview

General Information

Sample name:	lQV0SgKoqe.exe renamed because original name is a hash value
Original sample name:	918504ede26bb9a3aa315319da4d3549d64531afba593bfad71a653292899fec.exe
Analysis ID:	1428494
MD5:	76ffbb43f6ac003cacf391b95d462362
SHA1:	03c94534ae4471187d9ab10ad0802deb51103de1
SHA256:	918504ede26bb9a3aa315319da4d3549d64531afba593bfad71a653292899fec
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to hide the console window

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Overwrites Mozilla Firefox settings

Tries to harvest and steal browser information (history, passwords, etc)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious desktop.ini Action

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

lQV0SgKoqe.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\lQV0SgKoqe.exe" MD5: 76FFBB43F6AC003CACF391B95D462362)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2)

OpenWith.exe (PID: 7780 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

cleanup

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\lQV0SgKoqe.exe, ProcessId: 7492, TargetFilename: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\lQV0SgKoqe.exe, ProcessId: 7492, TargetFilename: C:\Users\user\3D Objects\desktop.ini

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: lQV0SgKoqe.exe	ReversingLabs: Detection: 80%
Source: lQV0SgKoqe.exe	Virustotal: Detection: 77%			Perma Link

Machine Learning detection for sample

Source: lQV0SgKoqe.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111A40 CryptBinaryToStringA,CryptBinaryToStringA,	0_2_00111A40
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00112B90 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptDestroyHash,CryptDestroyHash,	0_2_00112B90
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111520 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptGetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,	0_2_00111520
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111D80 CreateFileA,_strcat,GetFileSize,ReadFile,FindCloseChangeNotification,DeleteFileA,CryptReleaseContext,CreateFileA,WriteFile,FindCloseChangeNotification,	0_2_00111D80
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_001116A0 CryptEncrypt,CryptDestroyKey,CryptDestroyKey,_memcpy_s,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,	0_2_001116A0
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111820 CryptDestroyKey,CryptDestroyKey,_memcpy_s,CryptDecrypt,CryptDestroyKey,	0_2_00111820
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111950 CryptDestroyKey,CryptReleaseContext,	0_2_00111950
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111990 CryptBinaryToStringW,CryptBinaryToStringW,	0_2_00111990
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111AF0 CryptStringToBinaryW,CryptStringToBinaryW,	0_2_00111AF0
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00111BB0 CryptStringToBinaryA,CryptStringToBinaryA,	0_2_00111BB0

Source: lQV0SgKoqe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lQV0SgKoqe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_00111F70 FindFirstFileA,GetFullPathNameA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetFullPathNameA,FindNextFileA,GetLastError,FindClose,

0_2_00111F70

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC\Collab	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC\	Jump to behavior

Networking

Found Tor onion address

Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <h1><a style = "color:#ffffff;" href = "http://aa2stvtvgxo6mv5y.onion.to/ransomed.php">Help \| Aiuto \| Au secours \| Ayuda \| Hilfe</a></h1>
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <h2>A : The only method accepted is <strong style = "color:#ff6000">Bitcoin</strong> follow this <a style = "color:#ff6000" href = "http://aa2stvtvgxo6mv5y.onion.to/payments.php?id=%s">link</a> to start pay.</h2>
Source: lQV0SgKoqe.exe, 00000000.00000002.1843663234.000000000012C000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: <h1><a style = "color:#ffffff;" href = "http://aa2stvtvgxo6mv5y.onion.to/ransomed.php">Help \| Aiuto \| Au secours \| Ayuda \| Hilfe</a></h1>
Source: lQV0SgKoqe.exe, 00000000.00000002.1843663234.000000000012C000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: <h2>A : The only method accepted is <strong style = "color:#ff6000">Bitcoin</strong> follow this <a style = "color:#ff6000" href = "http://aa2stvtvgxo6mv5y.onion.to/payments.php?id=%s">link</a> to start pay.</h2>
Source: lQV0SgKoqe.exe, 00000000.00000000.1635861529.000000000012C000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: <h1><a style = "color:#ffffff;" href = "http://aa2stvtvgxo6mv5y.onion.to/ransomed.php">Help \| Aiuto \| Au secours \| Ayuda \| Hilfe</a></h1>
Source: lQV0SgKoqe.exe, 00000000.00000000.1635861529.000000000012C000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: <h2>A : The only method accepted is <strong style = "color:#ff6000">Bitcoin</strong> follow this <a style = "color:#ff6000" href = "http://aa2stvtvgxo6mv5y.onion.to/payments.php?id=%s">link</a> to start pay.</h2>
Source: lQV0SgKoqe.exe	String found in binary or memory: <h1><a style = "color:#ffffff;" href = "http://aa2stvtvgxo6mv5y.onion.to/ransomed.php">Help \| Aiuto \| Au secours \| Ayuda \| Hilfe</a></h1>
Source: lQV0SgKoqe.exe	String found in binary or memory: <h2>A : The only method accepted is <strong style = "color:#ff6000">Bitcoin</strong> follow this <a style = "color:#ff6000" href = "http://aa2stvtvgxo6mv5y.onion.to/payments.php?id=%s">link</a> to start pay.</h2>

Source: Joe Sandbox View

IP Address: 34.117.118.44 34.117.118.44

Source: unknown

DNS query: name: www.myexternalip.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /raw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: AdobeAcrobat Update/21.0Host: www.myexternalip.com

Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: www.myexternalip.com

Source: lQV0SgKoqe.exe	String found in binary or memory: http://aa2stvtvgxo6mv5y.onion.to/payments.php?id=%s
Source: lQV0SgKoqe.exe	String found in binary or memory: http://aa2stvtvgxo6mv5y.onion.to/ransomed.php
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: lQV0SgKoqe.exe	String found in binary or memory: http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: lQV0SgKoqe.exe	String found in binary or memory: http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: lQV0SgKoqe.exe	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1846141652.0000000004035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.000000000348A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: lQV0SgKoqe.exe, 00000000.00000002.1845007098.000000000374B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mo
Source: lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1846141652.0000000004035000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: lQV0SgKoqe.exe, 00000000.00000002.1844561467.0000000003520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=&
Source: lQV0SgKoqe.exe, 00000000.00000002.1844561467.0000000003520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=&metrics#search.engine.default.verified
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: lQV0SgKoqe.exe, 00000000.00000002.1845007098.000000000374B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: lQV0SgKoqe.exe, 00000000.00000002.1845007098.000000000374B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1844561467.0000000003551000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1845007098.000000000374B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: lQV0SgKoqe.exe	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZUSERNAMEC:\Users\vssadmin.exe Delete Shadows /All /Quiet.AlcatrazConsoleWindowClassWindows_XPWindows_XPWindows_XP_SP1Windows_XP_SP1Windows_XP_SP2Windows_XP_SP2Windows_XP_SP3Windows_XP_SP3Windows_VistaWindows_VistaWindows_Vista_SP1Windows_Vista_SP1Windows_Vista_SP2Windows_Vista_SP2Windows_7Windows_7Windows_7_SP1Windows_7_SP1Windows_8Windows_8Windows_8.1Windows_8.1Windows_10Windows_10Windows_ServerWindows_ServerWindows_ClientWindows_ClientUSERNAME/index.php?ip=%s&id=%s&botid=%s&username=%s&key=%s%s&os=%s&count=%dAdobe Updater/33.4onion.toGETHost:aa2stvtvgxo6mv5y.onion.toOKAdobeAcrobat Update/21.0www.myexternalip.com/rawGETUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\*...AppData\Desktop\ransomed.html<html lang="en">
Source: lQV0SgKoqe.exe, 00000000.00000002.1843663234.000000000012C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: lQV0SgKoqe.exe, 00000000.00000002.1843663234.000000000012C000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZUSERNAMEC:\Users\vssadmin.exe Delete Shadows /All /Quiet.AlcatrazConsoleWindowClassWindows_XPWindows_XPWindows_XP_SP1Windows_XP_SP1Windows_XP_SP2Windows_XP_SP2Windows_XP_SP3Windows_XP_SP3Windows_VistaWindows_VistaWindows_Vista_SP1Windows_Vista_SP1Windows_Vista_SP2Windows_Vista_SP2Windows_7Windows_7Windows_7_SP1Windows_7_SP1Windows_8Windows_8Windows_8.1Windows_8.1Windows_10Windows_10Windows_ServerWindows_ServerWindows_ClientWindows_ClientUSERNAME/index.php?ip=%s&id=%s&botid=%s&username=%s&key=%s%s&os=%s&count=%dAdobe Updater/33.4onion.toGETHost:aa2stvtvgxo6mv5y.onion.toOKAdobeAcrobat Update/21.0www.myexternalip.com/rawGETUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\*...AppData\Desktop\ransomed.html<html lang="en">
Source: lQV0SgKoqe.exe, 00000000.00000000.1635861529.000000000012C000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: lQV0SgKoqe.exe, 00000000.00000000.1635861529.000000000012C000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZUSERNAMEC:\Users\vssadmin.exe Delete Shadows /All /Quiet.AlcatrazConsoleWindowClassWindows_XPWindows_XPWindows_XP_SP1Windows_XP_SP1Windows_XP_SP2Windows_XP_SP2Windows_XP_SP3Windows_XP_SP3Windows_VistaWindows_VistaWindows_Vista_SP1Windows_Vista_SP1Windows_Vista_SP2Windows_Vista_SP2Windows_7Windows_7Windows_7_SP1Windows_7_SP1Windows_8Windows_8Windows_8.1Windows_8.1Windows_10Windows_10Windows_ServerWindows_ServerWindows_ClientWindows_ClientUSERNAME/index.php?ip=%s&id=%s&botid=%s&username=%s&key=%s%s&os=%s&count=%dAdobe Updater/33.4onion.toGETHost:aa2stvtvgxo6mv5y.onion.toOKAdobeAcrobat Update/21.0www.myexternalip.com/rawGETUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\*...AppData\Desktop\ransomed.html<html lang="en">
Source: lQV0SgKoqe.exe	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: lQV0SgKoqe.exe	Binary or memory string: AabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZUSERNAMEC:\Users\vssadmin.exe Delete Shadows /All /Quiet.AlcatrazConsoleWindowClassWindows_XPWindows_XPWindows_XP_SP1Windows_XP_SP1Windows_XP_SP2Windows_XP_SP2Windows_XP_SP3Windows_XP_SP3Windows_VistaWindows_VistaWindows_Vista_SP1Windows_Vista_SP1Windows_Vista_SP2Windows_Vista_SP2Windows_7Windows_7Windows_7_SP1Windows_7_SP1Windows_8Windows_8Windows_8.1Windows_8.1Windows_10Windows_10Windows_ServerWindows_ServerWindows_ClientWindows_ClientUSERNAME/index.php?ip=%s&id=%s&botid=%s&username=%s&key=%s%s&os=%s&count=%dAdobe Updater/33.4onion.toGETHost:aa2stvtvgxo6mv5y.onion.toOKAdobeAcrobat Update/21.0www.myexternalip.com/rawGETUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\*...AppData\Desktop\ransomed.html<html lang="en">

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File moved: C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File deleted: C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File moved: C:\Users\user\Desktop\ONBQCLYSPU.jpg	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File deleted: C:\Users\user\Desktop\ONBQCLYSPU.jpg	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File deleted: C:\Users\user\Desktop\ONBQCLYSPU.jpg	Jump to behavior

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_0011638A	0_2_0011638A
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_0011E580	0_2_0011E580
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00122F64	0_2_00122F64

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 904

Source: lQV0SgKoqe.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.rans.phis.spyw.evad.winEXE@4/1698@1/1

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7492
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3a745af1-be60-4832-9d26-c4d9fddeee68

Jump to behavior

Source: lQV0SgKoqe.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

File read: C:\Users\user\3D Objects\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lQV0SgKoqe.exe	ReversingLabs: Detection: 80%
Source: lQV0SgKoqe.exe	Virustotal: Detection: 77%

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

File read: C:\Users\user\Desktop\lQV0SgKoqe.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lQV0SgKoqe.exe "C:\Users\user\Desktop\lQV0SgKoqe.exe"
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 904
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

File written: C:\Users\user\3D Objects\desktop.ini

Jump to behavior

Source: lQV0SgKoqe.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: lQV0SgKoqe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00113BF6 push ecx; ret		0_2_00113C09
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_0011EF2D push dword ptr [esp+ecx-75h]; iretd		0_2_0011EF31

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File created: C:\Users\user\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide the console window

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_001129A0 AllocConsole,FindWindowA,ShowWindow,

0_2_001129A0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe TID: 7548

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_00111F70 FindFirstFileA,GetFullPathNameA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetFullPathNameA,FindNextFileA,GetLastError,FindClose,

0_2_00111F70

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC\Collab	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC\	Jump to behavior

Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fImpt1RyTWTyxNNb+XkCOS8XsHZBEq9Ihy0TxeKLs8nydGf6XspEUym71hQ3DujcRJxRFT1rz0ie+z0jQQ5Cg+K9YUY/8MGQpxdsiEOkOugVEsENkSmHSDeSSEXkiwaZYt0pRjqBrkwFSVT8P8wol9v+BxlFxNwn0TNVmrBDU6RblCXRNTTI7+hNoC0Q6TFvrAG0s1d5gmuy6bNzBZ3biy0gnO7wYei3MgsGoMug14re3mdgNUH1hzXRbAUoV9FYspGNz4ymOt8YkrRGICqAmGE5l5BeuSBxqpZlU6KCc+0oEkC35DISPpINynMUIjQyYYvQi1J3cQYw1hEjDz5FtARqQuZWr5Wrs4u85NB1EHPJs2ZGjlbC8UmTbsnakqemUnvVfMODZBFrN4UMfT/mbKXBAj7A61HTJeeB7NU++fIFrzTJbHaaGONjUAqhKr84QEsW6Ivi7Es3phDosF4UCm6l2z1EIKiuPQY4kGUCS+fPcQjDzLzmFdGgpF6oVwsxgDEqMsG4zPgoj+MsQTQGNmNW6mrWgZ6aFZQkJErAEfSkN4f2LD0LxlFOVL4FzQs7M8sL0AleJV7u6xa4Y2hNmZfyAFxIq7tJCf0TwUO5ieAtbAmlzHiXMtX9n4rf/ujoQq7Pnn5M8VQmm5ILz1jP8SyNwQzrUW5FIOg8OrnV520on/6kwHWymIUg/8apQgJ5vdxIyFS11z+NgHKkeIq3z4jnZ3MgpwykImBoxE0sDac=bh
Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: lQV0SgKoqe.exe, 00000000.00000002.1849932155.000000000707E000.00000004.00000020.00020000.00000000.sdmp, MANIFEST-000001.Alcatraz.Alcatraz.Alcatraz.Alcatraz.0.dr	Binary or memory string: WCx4Oic2PaZh/srrrCTAFuVgXhBNvRY2U7lXojnYqwLlfNd9JikK4lnKek4pnVm1PgdsUTmZ3rixrxWdy1ulUeyTYz2tesKYHNh3IohnVxSGhd0wJ8xuEQrjfBXDL2M9D5vqJaR3flG6sV+dx/M8lZ9oGg27kYuD7ZAN303Mcf8QnkBvTpzOl+8AEm65gkj0iQEmUGwI/dvDQyezbAc4yq5QEdtF7yuhlk2TxJWBkmJIzNQq+GUFzNXRH8g25vqNK98acK6iFmLlX1dnJd0eOLVv+V2sOEvK0iXR2HkPFC8=
Source: lQV0SgKoqe.exe, 00000000.00000003.1641398877.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: lQV0SgKoqe.exe, 00000000.00000003.1641398877.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: previous.jsonlz4.0.dr	Binary or memory string: 34d0VWRaMdq6jdmwrj3XX+IY3GdU+d4stQUL87IpMtt+yGamZAlU9pjogKpdW9KrfIOceYIK3Tw2pFijRQoMiNYTJuE7axEvhgAkJvE7tbW+vA42x9a5lR+3hZfnLfEuuwTsbrK9Htp8mbVYQ+u0mOHUQyDm/0CluSpfQrWjo7yjpbw4iIwAOhu2+O9RgALrTct8u4eLQXxqimPm7KhHm7Pp70buI9JrgMw6RPFOQOf40XXfdl3Nycbt/1EHaXz8R4crT5j+9girN00AhX8HdRbreqSr2EZTWpBsxjuCSAHfrMXEks34/Dqtp/Z54E9Qw23H8FNDDjsYbA6zh0nyszDE+7y+pz1FDrqWUiLyHEdcwb65k6xxMTFJ2szplF3rNMAWV20FcnTXUNzJKSj4Mhd6oQcW4vEzvB0UPIDLgbMoP9AezPuQD5ruV9IPTlHTesAWNWqMyDP3Ca4uaHwBIGl/m1g5A9QUIRdLxStFNhlcPixl9dJKpzlZfoat83HmqwCPgo5etXsWNAWrjw/2PiWqfG3GybaycJqd57Ht7UaMCrCbCOLhe+aBUiFFHSnr33jeLbXLmXDfGSRz+8O/QxUYbM73Qi9RgmNv790ez65BPs0R8BFLdHoNkU7hNQYkO7Padk+WCubPBs8vCDXLImzGUr2AD4kqvSO2WTPTPIIJl9h+Jf5RclpdbQXRVtj61TqvjPaevUCDkRgJkqqKj97hxCV2MBCjz0q5iEn2MKiPJHr2G2OP4fywF+ISwpf27LF0/sYPoKzA4wP/byp1qHE2gAQ4ggTu8r0EeDVqz170xLJs6bLqnM89Iw8CEvz9GV7D4JsvROWjqjOhhoo+D/Lk7sX2ay/TSDn/YUrdCLQFgcUWyBezwiwC/dKVe/xTmYfcJIYTntYdrUWlvwatT8PcsaavL8MDOdhT4AJWxWP32VDQ0xsXg8pUb57EKoIB8ouuN2nsB4wrgqyHHADrQCITANYaWFCp1gQ9FaDxXXSAPOt+cPP43NbO3qsrDuvJyouK1wVbu6VFqzU+/F2zM6JxPhFDgStRqRyLRvYIHsyUex/+3mPJ6VCCLHMSEFMTsyrp0inc9ojUWnKfDQ1bcqRrY3FzjBIkHhnpbVyZQrvL51KJ41ZykR4EMTndxlqxgY2J9q/VMcIOZfqiposaaV9MQ2Phzmb3WKNoYW9GSAs9CM7rk9+rD1IyXKyWchHBiu+LbSxG68cs7AIvYNLfkVcrZw8DNTTzgxmnYAjoYBuoH06x2b5B8GMU4nE+CWwQmi4b5JGLpedF28Y4GLnYhco7IlmDxAZmE8LlcquJnqUK6Q2BUiIpPGsiNLVemSWuSxRZrGtOt8el5lYgxleXpdhVcDTrmHqjf0ttfHhvKdqoVsTp/AMjCr41jgRndMiu+aZrkm80JXP603hxgaAcOu3hKXwd3b/wMBU/Texzdv3P9OsKlf53geJ4nt444wLPhLwPrE+bs+dR9W2d1+8FfeY66zXBuWtFLh2+PGHHenFCgLQxwN40eBhgT1GJH0ul2jw0yUWJt28VAmTQmtHczAf8O5s0fKTLNH9V3OIbKe5b+U/E24isJjYMtOOMN/KHhRcIDzDoy7I3XD7Rn55WH6P265+ne4gIJCkRnVa4lKo=
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.000000000114F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HYGZTMOBZNLIUCJBYFLBDUAKJBLRARERXMVKEAPQMJITFUEJKUVKFODAYQEAUVRVETRCZBTSAGFPWQFMLYLDAPEFNOPKVOISCGDTAUAAJVWISHIOKHXZIYBAVXNJEWDMDYIRHTHOYDNKDCNAVKVIQRZFAPEGCJLIIYRWLYUWEAWTOKYUWAWKWQRVYDTWAZAQFPSVVBUIHWNKDDXYGEMXCNTRRPXCNAZAEHACUEYUTOUNVZMOTVTTNHNTPWIMLIWQVNEAFVTRIJPWLSEUJZKKCQJALAYIRJZXUZGZZKBAOWBWPVHJDHMMXLLYHYONGKEONUFGWAVITHRWBIZBUYQROUFLSFAMSCLPIAZKBRWXLSGSDLZUPATDCXMLGEYEIUVKOSEZUHTNGCEVISLMQJUFTADFAGWRNYOZYZSBKTBWZVBXHQHYZXQWNOTMNBSOJADGWKOBBLFJDSSNJOGFZEKHGNFSKVANLYRWPSIDYQXYLBWRDDHUWODUSEMMPQDTFTQFWVTJZJTTKBJYVWUQPFIEKHYKXRSWKOMYTFJHIHJTYVUZZQILLGLZDVONFFKATCXDYJDKCISFLSGKAGFZZGBSEKBOASZXHQUTFORYITFTDLPVQODSPUPMWBNLCIHODHFOHDHKLHCBSTZSKXTWDJKJIJHGWECZSCLEXVQFKTVHBNBFDIGBWCYIUFTYNXWINQROSYCHWXJCKPZYNZLVOOVLNCNYKQIGXRQCFJUHBKWMQUCASVTPDLYLDZRVIWXLMRUAQKCYBOEMFYUVWQKXHFUCRYJBPUBOAKKNPWARETAPJJXXUOZULUTXCQPITHNBBWWEVUTWUDRKHYDDUSHQBLIWFLPWKDUYIYTYIQKEJIOBLWDOVSETUWADBWGNDFUUJEJSRJWXWGHFPXTHUELZYPRJPNJUKSYQVDCDFZEEZLSYFNQOKCJRMASCJPYPWDPGJXUCDHEZMPLPVMCIBRIQFHGRLCNFONUMPWNQEUIWWQDYBHRVPAZEHOEYJYYTSUXKIGVO
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lQV0SgKoqe.exe, 00000000.00000002.1850568373.0000000007730000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp, 4ca3cb58378aaa3f_0.Alcatraz.Alcatraz.Alcatraz.0.dr	Binary or memory string: fImpt1RyTWTyxNNb+XkCOS8XsHZBEq9Ihy0TxeKLs8nydGf6XspEUym71hQ3DujcRJxRFT1rz0ie+z0jQQ5Cg+K9YUY/8MGQpxdsiEOkOugVEsENkSmHSDeSSEXkiwaZYt0pRjqBrkwFSVT8P8wol9v+BxlFxNwn0TNVmrBDU6RblCXRNTTI7+hNoC0Q6TFvrAG0s1d5gmuy6bNzBZ3biy0gnO7wYei3MgsGoMug14re3mdgNUH1hzXRbAUoV9FYspGNz4ymOt8YkrRGICqAmGE5l5BeuSBxqpZlU6KCc+0oEkC35DISPpINynMUIjQyYYvQi1J3cQYw1hEjDz5FtARqQuZWr5Wrs4u85NB1EHPJs2ZGjlbC8UmTbsnakqemUnvVfMODZBFrN4UMfT/mbKXBAj7A61HTJeeB7NU++fIFrzTJbHaaGONjUAqhKr84QEsW6Ivi7Es3phDosF4UCm6l2z1EIKiuPQY4kGUCS+fPcQjDzLzmFdGgpF6oVwsxgDEqMsG4zPgoj+MsQTQGNmNW6mrWgZ6aFZQkJErAEfSkN4f2LD0LxlFOVL4FzQs7M8sL0AleJV7u6xa4Y2hNmZfyAFxIq7tJCf0TwUO5ieAtbAmlzHiXMtX9n4rf/ujoQq7Pnn5M8VQmm5ILz1jP8SyNwQzrUW5FIOg8OrnV520on/6kwHWymIUg/8apQgJ5vdxIyFS11z+NgHKkeIq3z4jnZ3MgpwykImBoxE0sDac=
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: lQV0SgKoqe.exe, 00000000.00000002.1850568373.0000000007730000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WCx4Oic2PaZh/srrrCTAFuVgXhBNvRY2U7lXojnYqwLlfNd9JikK4lnKek4pnVm1PgdsUTmZ3rixrxWdy1ulUeyTYz2tesKYHNh3IohnVxSGhd0wJ8xuEQrjfBXDL2M9D5vqJaR3flG6sV+dx/M8lZ9oGg27kYuD7ZAN303Mcf8QnkBvTpzOl+8AEm65gkj0iQEmUGwI/dvDQyezbAc4yq5QEdtF7yuhlk2TxJWBkmJIzNQq+GUFzNXRH8g25vqNK98acK6iFmLlX1dnJd0eOLVv+V2sOEvK0iXR2HkPFC8=J
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: lQV0SgKoqe.exe, 00000000.00000002.1844314355.0000000003438000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "VMware V[
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: lQV0SgKoqe.exe, 00000000.00000002.1843859683.0000000001130000.00000004.00000020.00020000.00000000.sdmp, CameraRoll.library-ms.0.dr	Binary or memory string: FegQ8Cvs1+sGRToGcJhg8/8L5y9GiqiW9D7pOLTG1YjFq+AhXEBplGjlylNMy2haHd1x6ajqzfZnJ8a3jrXk9Sxv/OKZxzBsr5jPGFHijlzIqdJcEw2DROzjwJWhXBDFL1R8/Zxh00zrJfHTqYcWAdQ5OlvTxFE4DB9z3xSS0i0d6q1wk90ZB/v0pqm4fBZmqdLQro+vKp4DQ7TwEmc2tLLt2buARIsPPMlHa12zLh8dAV5XyKZJcmH+C+3gBAf2brSMyVIdjFHgpe91M24GdQRfJETHVyu8bv+pX89PfKYHBdYHoron8cLh0yygGdAK8UbAnWfINAVH976vba4fe3Gl/Z/hQXHFOGi3Ar2GeZ/KScfb/OET5cndG3Z51n3FJpVRQ2XiYDTcPNTYVvDgxpHzZ1G3XsIM1VltAaOShhdRif1madhrw30nJBPECmmNE8vbrcWvdd4M1TcthQtkjkaIag8Yu5LzaIaxXeToGvpWK3NfppPscFZ556AD8D+UxGNcYcYfQ0IiVxOjsX0+1HuJy12oHGfsePAlGlCokae1eExUQYJpykOZz7t8wL0D2NfU/HbEtwWGZYGJindMXH+5Z9W7zYaHnQweijjIYk5rHCVYHW7b1omwexctbCzUOcDnEcSpaLcuzOEchJqU+5xE+EncFNctqP0eQfbwSaQDToXmVivUMGnkM3n0WlPO+mEho7KbimiwqKh2J8NAjKDKoAcDeIEfBx6P1Nl+YlsBWvCigw97zdbgNKOJY9rOo33hms5p3N+4ZMBqqkYfCNhCGDuIcHLttoz/xJcuedVL0qsDzHI+3+V4EDiDyqHxav6aHDCe5PpjQ+kPV+nKJ3pm7KYcTjkHimXiFH9OOagPwS9JvIvmYSorNIPxxVsianZ+dc73WQikpYKiLApNVtLcHyAupv0PCC2BgtIOUBKEsCxvbRsqTLvRscLk8PmiZXG0KuJ++QV6d2GYY3ZmtbSLxo9cXW+7vVpVsXB6yitKscjR3Vk94S84d1goUjRHrRehhseii2QiFWSbuRZ0ET7aH2Og6N4G2prITxvHrLMWPUphYuR9xeNL54UkFPSfjyUnHLUnsfm8/qynhXUepmK6GEDvsybmrf153c1iRykNXUzu3ouiOwcpgeKxbGB68Fp5+mgShL77VUFPMhow5MHiQszEH6t+SLZ6Kpvv7vPj5ZKf0zxwtTv5/EM9/xwTZ6WtkYUMq3PFCKKV2lB4SnWpbEy8J/P5gAyt9kumSsP7bWx9it8Nm8JlY52pfEUjbgqgZiudIozwDGyrENaqaHGLp3pNoRyFyo/oXFNJkCAdzBbn7aJ7ou49rXBa4hvcYhSbLukyUfdfBIceOZNWvg==
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_00113991 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00113991

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_00117720 mov eax, dword ptr fs:[00000030h]

0_2_00117720

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_0011CC7F GetProcessHeap,

0_2_0011CC7F

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00113991 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00113991
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_001131A3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001131A3
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00113AF0 SetUnhandledExceptionFilter,	0_2_00113AF0
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	Code function: 0_2_00114F17 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00114F17

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_00113C0B cpuid

0_2_00113C0B

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Code function: 0_2_0011387F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0011387F

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\data.safe.bin	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite.Alcatraz	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite.Alcatraz	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Crash Reports	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\z6bny8rn.default	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\installs.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\data.safe.bin	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite.Alcatraz	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Crash Reports\events	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite.Alcatraz	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Crash Reports\InstallTime20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Pending Pings	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\lQV0SgKoqe.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Window	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	4 File and Directory Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lQV0SgKoqe.exe	81%	ReversingLabs	Win32.Ransomware.FileCryptor
lQV0SgKoqe.exe	78%	Virustotal		Browse
lQV0SgKoqe.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://account.bellmedia.c	0%	URL Reputation	safe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://www.ebay.co.uk/	0%	URL Reputation	safe
https://www.amazon.co.uk/	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	URL Reputation	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://www.bbc.co.uk/	0%	Virustotal		Browse
https://support.mo	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.myexternalip.com	34.117.118.44	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.myexternalip.com/raw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.avito.ru/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ctrip.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?extsrc=mailto&url=%s	lQV0SgKoqe.exe, 00000000.00000002.1844314355.000000000348A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aa2stvtvgxo6mv5y.onion.to/payments.php?id=%s	lQV0SgKoqe.exe	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mo	lQV0SgKoqe.exe, 00000000.00000002.1845007098.000000000374B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.leboncoin.fr/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.twitter.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://weibo.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ifeng.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.zhihu.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aa2stvtvgxo6mv5y.onion.to/ransomed.php	lQV0SgKoqe.exe	false		high
https://www.reddit.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.reddit.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.ca/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ebay.co.uk/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nytimes.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.co.uk/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ebay.de/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.wykop.pl/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css	lQV0SgKoqe.exe	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	lQV0SgKoqe.exe, 00000000.00000002.1846774982.000000000481C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.olx.pl/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://allegro.pl/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://bugzilla.mo	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1846141652.0000000004035000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	lQV0SgKoqe.exe, 00000000.00000002.1845298885.0000000003C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.fr/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	lQV0SgKoqe.exe, 00000000.00000002.1844314355.00000000034C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/search?client=firefox-b-d&q=&metrics#search.engine.default.verified	lQV0SgKoqe.exe, 00000000.00000002.1844561467.0000000003520000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.wikipedia.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.live.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/search?client=firefox-b-d&q=&	lQV0SgKoqe.exe, 00000000.00000002.1844561467.0000000003520000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js	lQV0SgKoqe.exe	false		high
https://www.amazon.de/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp, lQV0SgKoqe.exe, 00000000.00000002.1846141652.0000000004035000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.com/	lQV0SgKoqe.exe, 00000000.00000002.1843859683.00000000010EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.baidu.com/	lQV0SgKoqe.exe, 00000000.00000002.1846141652.000000000403B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.118.44	www.myexternalip.com	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428494
Start date and time:	2024-04-19 02:57:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lQV0SgKoqe.exe renamed because original name is a hash value
Original Sample Name:	918504ede26bb9a3aa315319da4d3549d64531afba593bfad71a653292899fec.exe
Detection:	MAL
Classification:	mal76.rans.phis.spyw.evad.winEXE@4/1698@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:57:48	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.Alcatraz
02:57:48	API Interceptor	1x Sleep call for process: lQV0SgKoqe.exe modified
02:57:57	API Interceptor	1x Sleep call for process: OpenWith.exe modified
02:58:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.118.44	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	/
	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	/
	file.exe	Get hash	malicious	Unknown	Browse	ifconfig.me//
	file.exe	Get hash	malicious	Unknown	Browse	ifconfig.me//
	file.exe	Get hash	malicious	Unknown	Browse	ifconfig.me//
	x3oDq746Ub.exe	Get hash	malicious	Trickbot	Browse	ipecho.net/plain
	mhddos_proxy_win.exe	Get hash	malicious	Unknown	Browse	ipecho.net/plain
	94MmmtV9li	Get hash	malicious	Unknown	Browse	/plain
	94MmmtV9li	Get hash	malicious	Unknown	Browse	/plain
	bix.exe	Get hash	malicious	Unknown	Browse	ifconfig.me/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.myexternalip.com	Default Game.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	Mauqes.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	Mauqes.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	Sky Beta .exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	oPUxYDe9mt.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	GrappleTanks.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	GrappleTanks.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	GrappleTanks.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	PlanetsBeta.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	BlendyBeta.exe	Get hash	malicious	Unknown	Browse	34.117.118.44

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	s.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	34.117.186.192
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	tA6etkt3gb.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	34.117.188.166
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	34.117.188.166
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse	34.117.186.192
	https://csactivation.carestreamdental.com/ViewSwitcher/SwitchView?mobile=True&returnUrl=https://bpy.us/moTxvQ3E4RAm3ToTxn2APa4RAchQ3E4RAD5QyD5Qm3TQ3EmD5Qz01coTxm&mc=101631	Get hash	malicious	Unknown	Browse	34.117.33.233
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	dendy.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.86627290936073
Encrypted:	false
SSDEEP:	96:/CpeF+0XbW/uMsyh2I77ES3QXIDcQ+c6tcEUcw3B+HbHg/8BRTr3NFEjoYhSOyW/:jg0reuMg0gp+SjGOzuiFgZ24IO8i
MD5:	319F0C8115D1F33869CF20B9BB2C579D
SHA1:	F43E017E7A481D96CAE75BC493C92904EBA8007D
SHA-256:	751C65A38828AEF44E60757809E610F365FC881FE9266386EEF2AD1B210D95C6
SHA-512:	0C043A65A35A1DF3E1DBCD32D75EC44D2DAD480533BEF84257B561AD08D4BE92F7497EBB02913BB36E9EBA3A689F0017ED64A048C653783824ADB9BF845A7E59
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.6.1.8.7.6.5.8.0.8.8.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.6.1.8.7.6.9.5.5.8.8.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.a.0.6.1.6.5.-.f.2.b.7.-.4.d.0.5.-.b.c.c.d.-.8.c.6.4.b.2.0.d.0.6.8.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.1.c.3.1.8.2.-.9.6.9.c.-.4.0.0.8.-.b.3.a.2.-.4.3.a.f.1.1.0.4.f.b.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.Q.V.0.S.g.K.o.q.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.4.-.0.0.0.1.-.0.0.1.4.-.f.c.e.b.-.5.9.9.8.f.4.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.5.0.3.3.a.2.3.a.4.f.e.a.4.6.3.2.a.7.9.a.2.e.1.7.3.0.d.6.8.3.b.0.0.0.0.f.f.f.f.!.0.0.0.0.0.3.c.9.4.5.3.4.a.e.4.4.7.1.1.8.7.d.9.a.b.1.0.a.d.0.8.0.2.d.e.b.5.1.1.0.3.d.e.1.!.l.Q.V.0.S.g.K.o.q.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

Process:	C:\Users\user\Desktop\lQV0SgKoqe.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.866969898440777
Encrypted:	false
SSDEEP:	12:J1Rc3iJdrmltXgA30A82UTPMmkUGp6fAZvzc:Jw3YrsQAEAnmkUnfAZg
MD5:	14DB98C592388D8C63297907C39ECD2E
SHA1:	AD503ABFBD457E8036C0E014B7C480944962F91F
SHA-256:	A82A4D8B410E03B1ACD703DEB8CDA033DE33C731294BC11D3E4075CC43055B70
SHA-512:	DAB18BDE37AF834CAF0D68F51FFF3D5813B572F235F67F85C9F2C53AD50992481A3C21B927A566DC0C6F125A53AC02756A156FC904946441D644CA9FD3E6F89F
Malicious:	false
Reputation:	low
Preview:	po/6s/fHEMWJh2qsR5k3z1aaaCbmtLxb1E71MfCN6AbXQ+4UHg2lIIpNQr9pU8EzEYIKsr0qA/93AB2IE0JuleeNIMVhVhXVEl7hnliYfMGrFPij3H0sp2JEHIr6X662emxZ8KbuDV8gymGmxbu4xiFXrzvAHTeH8f4zAz6by03fWQtXXFKKOrWBk22JuVlJ6la2VKDN3tfTVWN5apMQYSOM+EVBPjvLaWcgoJQD5+Tmz5PiYKEguTpiYU4K0zz+QJ6WIkubE27Ui2b5tTyg0pL1gGnRgtroSJLzknXMIBGCIukPNh7lmba+VEEz9Ga8FjcLge3LzQNIeLWhinbfKYabfoiSG41Z/He7qjq9RrdkxjihQYtQhTN9crzAetQ6l/HPHzGmyhAzAU+YNZi0pA==

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.480876195789448
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lQV0SgKoqe.exe
File size:	117'760 bytes
MD5:	76ffbb43f6ac003cacf391b95d462362
SHA1:	03c94534ae4471187d9ab10ad0802deb51103de1
SHA256:	918504ede26bb9a3aa315319da4d3549d64531afba593bfad71a653292899fec
SHA512:	2368a891561fe6e20870c22f9ba39bb2b5781014cbc359b779f4d55e135a40753d71149082374a50cd3bb614efc7fe8e4fbb21435a3cf4171da0217f15ec07e5
SSDEEP:	3072:JKTECsVTYGVMuCz0a3gcGiR4idFyEco3I74o+w5jZ:JKA7xYg44+wVZ
TLSH:	12B36C11B5C1C071D4B3193459B8DAB11A6CF9300F686EEBA3D8117A4FB41D17A3AEAF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lQ...?...?...?.N.....?.N...r.?.N.....?..P<...?..P:...?..P;...?.N.....?...>...?..P;...?..P=...?.Rich..?........................

Entrypoint:	0x4035ed
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x57F20C61 [Mon Oct 3 07:44:33 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	983d9930adf4e1f4a55db167dd5f3c89

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1adf4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1f000	0x1100	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a5d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1a5f0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x1c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13234	0x13400	ca05c1a178cb44249a39cd8f0d71ffc2	False	0.5811307832792207	data	6.5732710601540125	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x6874	0x6a00	edc964438eb5a2557849bcecc023da4f	False	0.48024764150943394	data	5.28971325186092	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0x1f14	0x1600	2a8ebb9415149a780c5886083c644890	False	0.32191051136363635	data	4.52453512593875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x1e000	0xb4	0x200	abf02e22aac2b3ff9e9c9438033c1b16	False	0.28125	data	1.502749284544401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1f000	0x1100	0x1200	9434a7a95f3f9351038cf52243f2288c	False	0.7760416666666666	data	6.424931374323263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
WINHTTP.dll	WinHttpReceiveResponse, WinHttpSendRequest, WinHttpAddRequestHeaders, WinHttpOpenRequest, WinHttpQueryDataAvailable, WinHttpReadData, WinHttpConnect, WinHttpCloseHandle, WinHttpOpen
KERNEL32.dll	GetFullPathNameA, ReadFile, WriteFile, CloseHandle, GetLastError, GetFileSize, AllocConsole, HeapReAlloc, HeapSize, DeleteFileA, FindNextFileA, FindFirstFileA, FindClose, CreateFileA, SetCurrentDirectoryA, VerSetConditionMask, GetConsoleCP, GetConsoleMode, SetFilePointerEx, FlushFileBuffers, DecodePointer, WriteConsoleW, RaiseException, CreateFileW, VerifyVersionInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, MultiByteToWideChar, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, HeapAlloc, WaitForSingleObject, GetExitCodeProcess, CreateProcessA, GetFileAttributesExW, CompareStringW, LCMapStringW, MoveFileExW, GetFileType, FindFirstFileExA, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetStdHandle, GetStringTypeW, GetProcessHeap
USER32.dll	FindWindowA, ShowWindow
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringW, CryptBinaryToStringA, CryptStringToBinaryW
ADVAPI32.dll	SystemFunction036, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptDecrypt, CryptEncrypt, CryptGetKeyParam, CryptSetKeyParam, CryptDestroyKey, CryptDeriveKey, CryptReleaseContext, CryptAcquireContextW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 02:57:48.503768921 CEST	49730	80	192.168.2.4	34.117.118.44
Apr 19, 2024 02:57:48.609046936 CEST	80	49730	34.117.118.44	192.168.2.4
Apr 19, 2024 02:57:48.609142065 CEST	49730	80	192.168.2.4	34.117.118.44
Apr 19, 2024 02:57:48.609371901 CEST	49730	80	192.168.2.4	34.117.118.44
Apr 19, 2024 02:57:48.713682890 CEST	80	49730	34.117.118.44	192.168.2.4
Apr 19, 2024 02:57:48.737704992 CEST	80	49730	34.117.118.44	192.168.2.4
Apr 19, 2024 02:57:48.783231974 CEST	49730	80	192.168.2.4	34.117.118.44
Apr 19, 2024 02:58:10.066138983 CEST	49730	80	192.168.2.4	34.117.118.44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 02:57:48.377194881 CEST	64638	53	192.168.2.4	1.1.1.1
Apr 19, 2024 02:57:48.498125076 CEST	53	64638	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Apr 19, 2024 02:57:48.609371901 CEST	154	OUT	GET /raw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: AdobeAcrobat Update/21.0 Host: www.myexternalip.com
Apr 19, 2024 02:57:48.737704992 CEST	196	IN	HTTP/1.1 200 OK server: fasthttp date: Fri, 19 Apr 2024 00:57:48 GMT content-type: text/plain; charset=utf-8 Content-Length: 12 access-control-allow-origin: * via: 1.1 google Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Target ID:	0
Start time:	02:57:47
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\lQV0SgKoqe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lQV0SgKoqe.exe"
Imagebase:	0x110000
File size:	117'760 bytes
MD5 hash:	76FFBB43F6AC003CACF391B95D462362
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	02:57:56
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 904
Imagebase:	0x960000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	1046
Total number of Limit Nodes:	20

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lQV0SgKoqe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lQV0SgKoqe.exe_7d616acb29ecb5111acc7a68f67489811b3ab7ec_f47788f9_63a06165-f2b7-4d05-bccd-8c64b20d068f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3012.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER30BF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER30E0.tmp.xml

C:\Users\user\3D Objects\desktop.ini

C:\Users\user\3D Objects\desktop.ini.Alcatraz (copy)

C:\Users\user\AppData\Local\.curlrc

C:\Users\user\AppData\Local\.curlrc.Alcatraz

C:\Users\user\AppData\Local\.curlrc.Alcatraz.Alcatraz

C:\Users\user\AppData\Local\.curlrc.Alcatraz.Alcatraz.Alcatraz

C:\Users\user\AppData\Local\.curlrc.Alcatraz.Alcatraz.Alcatraz.Alcatraz

C:\Users\user\AppData\Local\.curlrc.Alcatraz.Alcatraz.Alcatraz.Alcatraz.Alcatraz

C:\Users\user\AppData\Local\.curlrc.Alcatraz.Alcatraz.Alcatraz.Alcatraz.Alcatraz.Alcatraz

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT.Alcatraz

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT.Alcatraz.Alcatraz

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT.Alcatraz.Alcatraz.Alcatraz

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENT.Alcatraz.Alcatraz.Alcatraz.Alcatraz

Windows Analysis Report
lQV0SgKoqe.exe

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre