Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sMvwj6hFVU.exe

Overview

General Information

Sample name:sMvwj6hFVU.exe
renamed because original name is a hash value
Original sample name:35469a165dbc9011554bd98df7e45592.exe
Analysis ID:1594560
MD5:35469a165dbc9011554bd98df7e45592
SHA1:9fc2614f95cb541a4525504a1db6c63ae561573a
SHA256:d21f0290c0a34703fd877da733b45313d2956f7079dd60ab187b399f045fd09a
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Hijacks the control flow in another process
Modifies the context of a thread in another process (thread injection)
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • sMvwj6hFVU.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\sMvwj6hFVU.exe" MD5: 35469A165DBC9011554BD98DF7E45592)
    • tracerpt.exe (PID: 6448 cmdline: "C:\Windows\System32\tracerpt.exe" MD5: A29A93D4FEC75038326C3C67C370DAC5)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": "192.168.1.200:9999"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.3759731979.000002089DBD1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000002.00000003.3942703621.000002089DBD1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000002.00000003.4251514495.000002089AC9D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000002.00000003.3882837598.000002089C6E7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000002.00000003.4583767346.000002089C6E7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 30 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.tracerpt.exe.2089c72e971.9.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              0.2.sMvwj6hFVU.exe.2b106d1.1.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                2.3.tracerpt.exe.2089d4d1195.25.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  2.2.tracerpt.exe.2089d518291.6.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    2.3.tracerpt.exe.2089dbd11ed.37.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      Click to see the 93 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-19T07:56:58.658654+010020528751A Network Trojan was detected192.168.2.649709103.36.221.1956661TCP
                      2025-01-19T07:58:09.268360+010020528751A Network Trojan was detected192.168.2.649711103.36.221.1956661TCP
                      2025-01-19T07:59:16.059835+010020528751A Network Trojan was detected192.168.2.649987103.36.221.1958882TCP
                      2025-01-19T08:00:27.221825+010020528751A Network Trojan was detected192.168.2.649991103.36.221.1956661TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 2.3.tracerpt.exe.2089dbd11ed.37.unpackMalware Configuration Extractor: GhostRat {"C2 url": "192.168.1.200:9999"}
                      Multi AV Scanner detection for submitted file
                      Source: sMvwj6hFVU.exeVirustotal: Detection: 70%Perma Link
                      Source: sMvwj6hFVU.exeReversingLabs: Detection: 65%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: sMvwj6hFVU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Windows\System32\tracerpt.exeFile opened: z:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: x:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: v:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: t:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: r:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: p:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: n:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: l:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: j:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: h:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: f:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: b:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: y:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: w:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: u:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: s:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: q:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: o:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: m:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: k:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: i:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: g:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile opened: [:Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE9960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,2_2_000002089ADE9960

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.6:49709 -> 103.36.221.195:6661
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.6:49711 -> 103.36.221.195:6661
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.6:49987 -> 103.36.221.195:8882
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.6:49991 -> 103.36.221.195:6661
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 192.168.1.200:9999
                      Source: global trafficTCP traffic: 192.168.2.6:49709 -> 103.36.221.195:6661
                      Source: Joe Sandbox ViewASN Name: CHINA169-BJChinaUnicomBeijingProvinceNetworkCN CHINA169-BJChinaUnicomBeijingProvinceNetworkCN
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.36.221.195
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4973690 select,recv,_errno,_errno,_errno,0_2_00007FF6B4973690

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture and log keystrokes
                      Source: C:\Windows\System32\tracerpt.exeCode function: [esc]2_2_000002089ADF2000
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADF2000 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,2_2_000002089ADF2000
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADF2000 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,2_2_000002089ADF2000
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEEBE0 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,2_2_000002089ADEEBE0
                      Source: sMvwj6hFVU.exe, 00000000.00000002.4591173948.0000000002AC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_18873442-f
                      Source: C:\Windows\System32\tracerpt.exeWindows user hook set: 0 mouse low level C:\Windows\System32\DINPUT8.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEE0E8 ExitWindowsEx,2_2_000002089ADEE0E8
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEE097 ExitProcess,ExitWindowsEx,2_2_000002089ADEE097
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEE0C7 ExitWindowsEx,2_2_000002089ADEE0C7
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49773D00_2_00007FF6B49773D0
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4976F700_2_00007FF6B4976F70
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49733900_2_00007FF6B4973390
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49768600_2_00007FF6B4976860
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4976C800_2_00007FF6B4976C80
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497E1C00_2_00007FF6B497E1C0
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497AD440_2_00007FF6B497AD44
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497A30C0_2_00007FF6B497A30C
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497C28C0_2_00007FF6B497C28C
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49824BC0_2_00007FF6B49824BC
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49858CC0_2_00007FF6B49858CC
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49861300_2_00007FF6B4986130
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4986C500_2_00007FF6B4986C50
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49848980_2_00007FF6B4984898
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B49728800_2_00007FF6B4972880
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEEBE02_2_000002089ADEEBE0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE33602_2_000002089ADE3360
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE74F02_2_000002089ADE74F0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE84402_2_000002089ADE8440
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE67902_2_000002089ADE6790
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFFF942_2_000002089ADFFF94
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADF15C02_2_000002089ADF15C0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADF1BF02_2_000002089ADF1BF0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE3BA02_2_000002089ADE3BA0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFD3282_2_000002089ADFD328
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFF4E82_2_000002089ADFF4E8
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE0B4EC2_2_000002089AE0B4EC
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE02D002_2_000002089AE02D00
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE09CA02_2_000002089AE09CA0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE94602_2_000002089ADE9460
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE004142_2_000002089AE00414
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE00A002_2_000002089AE00A00
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEC1A02_2_000002089ADEC1A0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE59302_2_000002089ADE5930
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFAA5C2_2_000002089ADFAA5C
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE0C8042_2_000002089AE0C804
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADF5F902_2_000002089ADF5F90
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEF7902_2_000002089ADEF790
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE00F302_2_000002089AE00F30
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFB0BC2_2_000002089ADFB0BC
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFC8702_2_000002089ADFC870
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEB0502_2_000002089ADEB050
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE28502_2_000002089ADE2850
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE0BD502_2_000002089AE0BD50
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEF5202_2_000002089ADEF520
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE0CD402_2_000002089AE0CD40
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFBEDC2_2_000002089ADFBEDC
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE8EC02_2_000002089ADE8EC0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE96502_2_000002089ADE9650
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFAE802_2_000002089ADFAE80
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE036502_2_000002089AE03650
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB254012_2_000002089AB25401
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB223212_2_000002089AB22321
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB404D12_2_000002089AB404D1
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB2BC712_2_000002089AB2BC71
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB3B9AD2_2_000002089AB3B9AD
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB289912_2_000002089AB28991
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB291212_2_000002089AB29121
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB3FA652_2_000002089AB3FA65
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB35A612_2_000002089AB35A61
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB262612_2_000002089AB26261
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB26FC12_2_000002089AB26FC1
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB2EFF12_2_000002089AB2EFF1
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB427D12_2_000002089AB427D1
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB310912_2_000002089AB31091
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB3A52D2_2_000002089AB3A52D
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB316C12_2_000002089AB316C1
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB2E6B12_2_000002089AB2E6B1
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB3FEE52_2_000002089AB3FEE5
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB22E312_2_000002089AB22E31
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB236712_2_000002089AB23671
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@0/1
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE8C80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,2_2_000002089ADE8C80
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE92E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,2_2_000002089ADE92E0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEA900 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,2_2_000002089ADEA900
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE8E00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_000002089ADE8E00
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE8180 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,2_2_000002089ADE8180
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE7400 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,2_2_000002089ADE7400
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE74F0 lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,RegQueryValueExW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,2_2_000002089ADE74F0
                      Source: C:\Windows\System32\tracerpt.exeMutant created: \Sessions\1\BaseNamedObjects\2025. 1. 9
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
                      Source: sMvwj6hFVU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: sMvwj6hFVU.exeVirustotal: Detection: 70%
                      Source: sMvwj6hFVU.exeReversingLabs: Detection: 65%
                      Source: unknownProcess created: C:\Users\user\Desktop\sMvwj6hFVU.exe "C:\Users\user\Desktop\sMvwj6hFVU.exe"
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeProcess created: C:\Windows\System32\tracerpt.exe "C:\Windows\System32\tracerpt.exe"
                      Source: C:\Windows\System32\tracerpt.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeProcess created: C:\Windows\System32\tracerpt.exe "C:\Windows\System32\tracerpt.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                      Source: sMvwj6hFVU.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: sMvwj6hFVU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4978370 LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,0_2_00007FF6B4978370
                      Source: sMvwj6hFVU.exeStatic PE information: real checksum: 0x29194 should be: 0x26a9f
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE0F949 push rbp; retf 2_2_000002089AE0F974
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE00B7 push rdi; ret 2_2_000002089ADE00BD
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB28428 push ecx; ret 2_2_000002089AB28429
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB2847D push eax; ret 2_2_000002089AB2847E
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB40449 pushfd ; ret 2_2_000002089AB4044A
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AB3F787 push cs; retf 2_2_000002089AB3F788
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEE03A OpenEventLogW,ClearEventLogW,CloseEventLog,2_2_000002089ADEE03A
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeKey value created or modified: HKEY_CURRENT_USER\Console\1 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Found evasive API chain (may stop execution after checking mutex)
                      Source: C:\Windows\System32\tracerpt.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_2-31220
                      Found stalling execution ending in API Sleep call
                      Source: C:\Windows\System32\tracerpt.exeStalling execution: Execution stalls by calling Sleepgraph_2-31231
                      Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
                      Source: C:\Windows\System32\tracerpt.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}Jump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeWindow / User API: threadDelayed 2743Jump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeWindow / User API: threadDelayed 6921Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeWindow / User API: threadDelayed 1484Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeWindow / User API: threadDelayed 3482Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeWindow / User API: threadDelayed 4452Jump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-9639
                      Source: C:\Windows\System32\tracerpt.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-31367
                      Source: C:\Windows\System32\tracerpt.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_2-31510
                      Source: C:\Windows\System32\tracerpt.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_2-31513
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-8435
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exe TID: 4340Thread sleep count: 308 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exe TID: 6240Thread sleep count: 2743 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exe TID: 6240Thread sleep time: -8229000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exe TID: 6240Thread sleep count: 6921 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exe TID: 6240Thread sleep time: -20763000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\tracerpt.exe TID: 1136Thread sleep time: -1484000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\tracerpt.exe TID: 3404Thread sleep time: -34820s >= -30000sJump to behavior
                      Source: C:\Windows\System32\tracerpt.exe TID: 1136Thread sleep time: -4452000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\tracerpt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE9960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,2_2_000002089ADE9960
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE89F0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,2_2_000002089ADE89F0
                      Source: sMvwj6hFVU.exe, 00000000.00000002.4590615498.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWW+
                      Source: tracerpt.exe, 00000002.00000002.4590879977.000002089AC2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeAPI call chain: ExitProcess graph end nodegraph_0-8437
                      Source: C:\Windows\System32\tracerpt.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497A5F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6B497A5F4
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4978370 LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,0_2_00007FF6B4978370
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B498754C GetProcessHeap,0_2_00007FF6B498754C
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4978580 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,0_2_00007FF6B4978580
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497A5F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6B497A5F4
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4978AD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6B4978AD0
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497CF6C SetUnhandledExceptionFilter,0_2_00007FF6B497CF6C
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADF15C0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,2_2_000002089ADF15C0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADF4CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000002089ADF4CD0
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFC1C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000002089ADFC1C4
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089AE0F5A8 SetUnhandledExceptionFilter,2_2_000002089AE0F5A8

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeMemory allocated: C:\Windows\System32\tracerpt.exe base: 2089AB20000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4976C80 GetSystemDirectoryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,0_2_00007FF6B4976C80
                      Contains functionality to inject threads in other processes
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADEA410 VirtualAllocEx,TerminateProcess,OpenProcess,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,2_2_000002089ADEA410
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADE8EC0 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,2_2_000002089ADE8EC0
                      Hijacks the control flow in another process
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeMemory written: PID: 6448 base: 2089AB20000 value: E9Jump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeThread register set: target process: 6448Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeMemory written: C:\Windows\System32\tracerpt.exe base: 2089AB20000Jump to behavior
                      Source: C:\Windows\System32\tracerpt.exeCode function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe2_2_000002089ADE8EC0
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeProcess created: C:\Windows\System32\tracerpt.exe "C:\Windows\System32\tracerpt.exe"Jump to behavior
                      Source: tracerpt.exe, 00000002.00000002.4592117542.000002089D630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: tracerpt.exe, 00000002.00000003.3699244355.000002089C6A1000.00000004.00000020.00020000.00000000.sdmp, tracerpt.exe, 00000002.00000003.4583621957.000002089C6E1000.00000004.00000020.00020000.00000000.sdmp, tracerpt.exe, 00000002.00000002.4591869083.000002089C6E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .2.6 0 min347688Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 32902 Microsoft Basic Render Driver 0 32902 Program Manager
                      Source: C:\Windows\System32\tracerpt.exeCode function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,2_2_000002089ADE6790
                      Source: C:\Windows\System32\tracerpt.exeCode function: GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,2_2_000002089AE073F4
                      Source: C:\Windows\System32\tracerpt.exeCode function: _getptd,GetLocaleInfoA,2_2_000002089AE05BD8
                      Source: C:\Windows\System32\tracerpt.exeCode function: GetLocaleInfoW,2_2_000002089AE05CC0
                      Source: C:\Windows\System32\tracerpt.exeCode function: EnumSystemLocalesA,2_2_000002089AE061E8
                      Source: C:\Windows\System32\tracerpt.exeCode function: GetLocaleInfoW,2_2_000002089AE0F190
                      Source: C:\Windows\System32\tracerpt.exeCode function: EnumSystemLocalesA,2_2_000002089AE06150
                      Source: C:\Windows\System32\tracerpt.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,2_2_000002089AE06254
                      Source: C:\Windows\System32\tracerpt.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoW,2_2_000002089AE06020
                      Source: C:\Windows\System32\tracerpt.exeCode function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,2_2_000002089ADFE590
                      Source: C:\Windows\System32\tracerpt.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,2_2_000002089AE05D50
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B497D710 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00007FF6B497D710
                      Source: C:\Windows\System32\tracerpt.exeCode function: 2_2_000002089ADFFF94 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_000002089ADFFF94
                      Source: C:\Users\user\Desktop\sMvwj6hFVU.exeCode function: 0_2_00007FF6B4979EC8 HeapCreate,GetVersion,HeapSetInformation,0_2_00007FF6B4979EC8
                      Source: tracerpt.exeBinary or memory string: acs.exe
                      Source: tracerpt.exeBinary or memory string: avcenter.exe
                      Source: tracerpt.exeBinary or memory string: vsserv.exe
                      Source: tracerpt.exeBinary or memory string: kxetray.exe
                      Source: tracerpt.exeBinary or memory string: avp.exe
                      Source: tracerpt.exeBinary or memory string: KSafeTray.exe
                      Source: tracerpt.exeBinary or memory string: cfp.exe
                      Source: tracerpt.exeBinary or memory string: 360Safe.exe
                      Source: tracerpt.exeBinary or memory string: rtvscan.exe
                      Source: tracerpt.exeBinary or memory string: 360tray.exe
                      Source: tracerpt.exeBinary or memory string: TMBMSRV.exe
                      Source: tracerpt.exeBinary or memory string: ashDisp.exe
                      Source: tracerpt.exeBinary or memory string: 360Tray.exe
                      Source: tracerpt.exeBinary or memory string: avgwdsvc.exe
                      Source: tracerpt.exeBinary or memory string: AYAgent.aye
                      Source: tracerpt.exeBinary or memory string: RavMonD.exe
                      Source: tracerpt.exeBinary or memory string: QUHLPSVC.EXE
                      Source: tracerpt.exeBinary or memory string: Mcshield.exe
                      Source: tracerpt.exeBinary or memory string: K7TSecurity.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2b106d1.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d518291.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.37.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.38.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089ac9dc5d.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089ac9dc5d.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089acab5bd.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.32.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c6e7841.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2b106d1.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2ac1116.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d55fbd1.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.39.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c6e7841.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ade0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d5a6d01.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2dd11a5.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2dd11a5.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.30.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2ac1116.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d55fbd1.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ab206d1.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089acab5bd.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.40.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ab206d1.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c72e971.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.38.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.39.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c72e971.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.40.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ade0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.41.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.41.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d5a6d01.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d518291.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.3759731979.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3942703621.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4251514495.000002089AC9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3882837598.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4583767346.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3942802671.000002089ACA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4590618243.000002089AB20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4232237579.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4591173948.0000000002AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3718874474.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4591239537.0000000002B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4591496792.000002089ADE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3239172544.000002089AC8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3581295391.000002089ACA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4583621957.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.2366047195.000002089C6E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3540036859.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3902292296.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3699244355.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4232057098.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3759951032.000002089ACA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3238954052.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4592117542.000002089D517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4292089568.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.2226784084.000002089AC67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3540627433.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3719547760.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4591901428.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3581137425.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3883282470.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4591451948.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3364069994.000002089C6E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4251623265.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: sMvwj6hFVU.exe PID: 5064, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: tracerpt.exe PID: 6448, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2b106d1.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d518291.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.37.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.38.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089ac9dc5d.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089ac9dc5d.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089acab5bd.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.32.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c6e7841.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2b106d1.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2ac1116.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d55fbd1.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.39.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c6e7841.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ade0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d5a6d01.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2dd11a5.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2dd11a5.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.30.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sMvwj6hFVU.exe.2ac1116.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.35.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d55fbd1.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ab206d1.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089acab5bd.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.40.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ab206d1.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c72e971.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.38.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.39.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089c72e971.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.40.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089ade0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.41.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089dbd11ed.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c72e971.41.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d55fbd1.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d518291.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d5a6d01.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089c6e7841.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.tracerpt.exe.2089d518291.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.tracerpt.exe.2089d4d1195.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.3759731979.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3942703621.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4251514495.000002089AC9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3882837598.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4583767346.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3942802671.000002089ACA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4590618243.000002089AB20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4232237579.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4591173948.0000000002AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3718874474.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4591239537.0000000002B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4591496792.000002089ADE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3239172544.000002089AC8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3581295391.000002089ACA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4583621957.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.2366047195.000002089C6E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3540036859.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3902292296.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3699244355.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4232057098.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3759951032.000002089ACA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3238954052.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4592117542.000002089D517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4292089568.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.2226784084.000002089AC67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3540627433.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3719547760.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.4591901428.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3581137425.000002089DBD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3883282470.000002089C6E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4591451948.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.3364069994.000002089C6E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.4251623265.000002089D4D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: sMvwj6hFVU.exe PID: 5064, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: tracerpt.exe PID: 6448, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media                      		12
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Obfuscated Files or Information                      		121
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)622
                      Process Injection                      		1
                      Modify Registry                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin Shares121
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Virtualization/Sandbox Evasion                      		NTDS16
                      System Information Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		1
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets131
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts622
                      Process Injection                      		Cached Domain Credentials1
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Indicator Removal                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.