Windows Analysis Report
$RWRW8GN.exe

Overview

General Information

Sample name:	$RWRW8GN.exe
Analysis ID:	1428608
MD5:	5857fbba8e5ac8092ba198aa3dfc9fe6
SHA1:	fa75a8c5ba95375ce13fb471e374b073e13ca48b
SHA256:	11bb618d3843c92fb351fbd30df08971b6385d69e9a9b6e558a8db274af4e087
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

query blbeacon for getting browser version

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\CheatEngine74.exe (copy)	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\CheatEngine74.exe (copy)	Virustotal: Detection: 36%			Perma Link

Multi AV Scanner detection for submitted file

Source: $RWRW8GN.exe	ReversingLabs: Detection: 62%
Source: $RWRW8GN.exe	Virustotal: Detection: 54%			Perma Link

Uses 32bit PE files

Source: $RWRW8GN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49741 version: TLS 1.2

Source: $RWRW8GN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.5:49740 -> 91.202.233.180:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: d2oq4dwfbh6gxl.cloudfront.net

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49741 version: TLS 1.2

Uses 32bit PE files

Source: $RWRW8GN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

query blbeacon for getting browser version

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version

Source: classification engine

Classification label: mal64.winEXE@5/13@3/6

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{6F44C754-77E7-4687-80D4-B48E574DF023}Installer
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6F44C754-77E7-4687-80D4-B48E574DF023}Installer

Source: C:\Users\user\Desktop\$RWRW8GN.exe

File created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp

Source: C:\Users\user\Desktop\$RWRW8GN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\$RWRW8GN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: $RWRW8GN.exe	ReversingLabs: Detection: 62%
Source: $RWRW8GN.exe	Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\$RWRW8GN.exe

File read: C:\Users\user\Desktop\$RWRW8GN.exe

Source: unknown	Process created: C:\Users\user\Desktop\$RWRW8GN.exe "C:\Users\user\Desktop\$RWRW8GN.exe"
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp "C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp" /SL5="$3031C,2335682,780800,C:\Users\user\Desktop\$RWRW8GN.exe"
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp "C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp" /SL5="$3031C,2335682,780800,C:\Users\user\Desktop\$RWRW8GN.exe"
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true

Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winhttpcom.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: zipfldr.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.staterepositorycore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: $RWRW8GN.exe

Static file information: File size 3226240 > 1048576

Source: $RWRW8GN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: $RWRW8GN.exe

Static PE information: section name: .didata

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\botva2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-M41BH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-98J8H.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\$RWRW8GN.exe	File created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\$RWRW8GN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Memory allocated: 1F517540000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Memory allocated: 1F531170000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\botva2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-98J8H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\_isetup\_setup64.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe TID: 6096	Thread sleep count: 198 > 30

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File Volume queried: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-cfaok.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-cfaok.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100" -i -v -d -se=true

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\logo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\RAV_Cross.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\WebAdvisor.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\AVG_BRW.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.22.1.235	shield.reasonsecurity.com	United States		13335	CLOUDFLARENETUS	false
13.33.19.164	d2oq4dwfbh6gxl.cloudfront.net	United States		16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
shield.reasonsecurity.com	104.22.1.235	true
mosaic-nova.apis.mcafee.com	52.36.122.185	true
d2oq4dwfbh6gxl.cloudfront.net	13.33.19.164	true
analytics.apis.mcafee.com	unknown	unknown

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\CheatEngine74.exe (copy)	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\CheatEngine74.exe (copy)	Virustotal: Detection: 36%			Perma Link

Multi AV Scanner detection for submitted file

Source: $RWRW8GN.exe	ReversingLabs: Detection: 62%
Source: $RWRW8GN.exe	Virustotal: Detection: 54%			Perma Link

Uses 32bit PE files

Source: $RWRW8GN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49741 version: TLS 1.2

Source: $RWRW8GN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.5:49740 -> 91.202.233.180:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: d2oq4dwfbh6gxl.cloudfront.net

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.33.19.164:443 -> 192.168.2.17:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.1.235:443 -> 192.168.2.17:49741 version: TLS 1.2

Uses 32bit PE files

Source: $RWRW8GN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

query blbeacon for getting browser version

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version

Source: classification engine

Classification label: mal64.winEXE@5/13@3/6

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{6F44C754-77E7-4687-80D4-B48E574DF023}Installer
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6F44C754-77E7-4687-80D4-B48E574DF023}Installer

Source: C:\Users\user\Desktop\$RWRW8GN.exe

File created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp

Source: C:\Users\user\Desktop\$RWRW8GN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\$RWRW8GN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: $RWRW8GN.exe	ReversingLabs: Detection: 62%
Source: $RWRW8GN.exe	Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\$RWRW8GN.exe

File read: C:\Users\user\Desktop\$RWRW8GN.exe

Source: unknown	Process created: C:\Users\user\Desktop\$RWRW8GN.exe "C:\Users\user\Desktop\$RWRW8GN.exe"
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp "C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp" /SL5="$3031C,2335682,780800,C:\Users\user\Desktop\$RWRW8GN.exe"
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp "C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp" /SL5="$3031C,2335682,780800,C:\Users\user\Desktop\$RWRW8GN.exe"
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true

Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\$RWRW8GN.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winhttpcom.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: zipfldr.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Section loaded: windows.staterepositorycore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: $RWRW8GN.exe

Static file information: File size 3226240 > 1048576

Source: $RWRW8GN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: $RWRW8GN.exe

Static PE information: section name: .didata

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\botva2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-M41BH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-98J8H.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\$RWRW8GN.exe	File created: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\$RWRW8GN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Memory allocated: 1F517540000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Memory allocated: 1F531170000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\botva2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-98J8H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\_isetup\_setup64.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp TID: 1704	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe TID: 7088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe TID: 6096	Thread sleep count: 198 > 30

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

File Volume queried: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-cfaok.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-cfaok.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&is_silent=true&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240419100540&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100" -i -v -d -se=true

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\logo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\RAV_Cross.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\WebAdvisor.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\AVG_BRW.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

ID:	1428608
Product:	CloudBasic
Start time:	10:03:33
Start date:	19.04.2024
Sample:	$RWRW8GN.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5857fbba8e5ac8092ba198aa3dfc9fe6
SHA1:	fa75a8c5ba95375ce13fb471e374b073e13ca48b
SHA256:	11bb618d3843c92fb351fbd30df08971b6385d69e9a9b6e558a8db274af4e087
Filetype:	Win32 Executable (generic) a (10002005/4) 98.04%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\AVG_BRW.png (copy)	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced	1CD4A2B4A992ACC9235D9FACD510E236	A6F6331879CC8CF0A6F091CC3C66EA95D1425A57	57F2E86B2C8D9C695073CBAED29C674EF748734460A33ED04AC6888B69288B1F
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\CheatEngine74.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	8F210E8BD05D93667412B67C092619A9	9CAFDC5C862CB30D5B982F8B2055FE4613401296	5E9E9499CBDC5E77474918D8A6F09629F5FDC5CB41B78CFFB83DA64129543689
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\RAV_Cross.png (copy)	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced	CD09F361286D1AD2622BA8A57B7613BD	4CD3E5D4063B3517A950B9D030841F51F3C5F1B1	B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\WebAdvisor.png (copy)	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced	4CFFF8DC30D353CD3D215FD3A5DBAC24	0F4F73F0DDDC75F3506E026EF53C45C6FAFBC87E	0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\botva2.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	67965A5957A61867D661F05AE1F4773E	F14C0A4F154DC685BB7C65B2D804A02A0FB2360D	450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-5O4U5.tmp	PNG image data, 547 x 280, 8-bit/color RGBA, non-interlaced	1CD4A2B4A992ACC9235D9FACD510E236	A6F6331879CC8CF0A6F091CC3C66EA95D1425A57	57F2E86B2C8D9C695073CBAED29C674EF748734460A33ED04AC6888B69288B1F
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-8IG6P.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	F68008B70822BD28C82D13A289DEB418	06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8	CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-98J8H.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	8F210E8BD05D93667412B67C092619A9	9CAFDC5C862CB30D5B982F8B2055FE4613401296	5E9E9499CBDC5E77474918D8A6F09629F5FDC5CB41B78CFFB83DA64129543689
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-JM3L4.tmp	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced	CD09F361286D1AD2622BA8A57B7613BD	4CD3E5D4063B3517A950B9D030841F51F3C5F1B1	B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-LNRJO.tmp	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced	4CFFF8DC30D353CD3D215FD3A5DBAC24	0F4F73F0DDDC75F3506E026EF53C45C6FAFBC87E	0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-M41BH.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B4172E4B70F90B7D475E882AC3A823CD	0A2849A1C73A180EFC39CD83F0F5F0F4CE2776C7	9CD2C5C417664D48E720AC342B5440B050DD966DA7C836C50CBF8F2F050E6E45
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\is-O9CCD.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	0B17213886329E2E4583EF701A4CA872	FAD31074A88331E785A6E23B2B95EA509C263ADB	BE1D0D9F58A9C04B45D323BDD25E539E686DB9F27B0AEF61BA822E12B72C320B
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\logo.png	PNG image data, 768 x 768, 8-bit/color RGBA, non-interlaced	6B7CB2A5A8B301C788C3792802696FE8	DA93950273B0C256DAB64BB3BB755AC7C14F17F3	3EED2E41BC6CA0AE9A5D5EE6D57CA727E5CBA6AC8E8C5234AC661F9080CEDADF
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0 (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B4172E4B70F90B7D475E882AC3A823CD	0A2849A1C73A180EFC39CD83F0F5F0F4CE2776C7	9CD2C5C417664D48E720AC342B5440B050DD966DA7C836C50CBF8F2F050E6E45
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod0.exe (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B4172E4B70F90B7D475E882AC3A823CD	0A2849A1C73A180EFC39CD83F0F5F0F4CE2776C7	9CD2C5C417664D48E720AC342B5440B050DD966DA7C836C50CBF8F2F050E6E45
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1 (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	F68008B70822BD28C82D13A289DEB418	06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8	CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	F68008B70822BD28C82D13A289DEB418	06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8	CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod1_extract\saBSI.exe	PE32 executable (GUI) Intel 80386, for MS Windows	143255618462A577DE27286A272584E1	EFC032A6822BC57BCD0C9662A6A062BE45F11ACB	F5AA950381FBCEA7D730AA794974CA9E3310384A95D6CF4D015FBDBD9797B3E4
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\prod2 (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	0B17213886329E2E4583EF701A4CA872	FAD31074A88331E785A6E23B2B95EA509C263ADB	BE1D0D9F58A9C04B45D323BDD25E539E686DB9F27B0AEF61BA822E12B72C320B
C:\Users\user\AppData\Local\Temp\is-CFAOK.tmp\zbShieldUtils.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FAD0877741DA31AB87913EF1F1F2EB1A	21ABB83B8DFC92A6D7EE0A096A30000E05F84672	73FF938887449779E7A9D51100D7BE2195198A5E2C4C7DE5F93CEAC7E98E3E02
C:\Users\user\AppData\Local\Temp\is-ML8F6.tmp\$RWRW8GN.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	4D79561B3017B113D73B58FC63842C7C	2C5A7F630CE9D0D3B550AC4AADF2DDE0E6434300	C9952A7EB2C7CA76A6B245724B4C4401728B24E306848EC45D28E7B93DC2DD92

Windows Analysis Report
$RWRW8GN.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report $RWRW8GN.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
$RWRW8GN.exe